Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TM-810] OAS: added bastion #9016

Merged
merged 4 commits into from
Dec 9, 2024
Merged

[TM-810] OAS: added bastion #9016

merged 4 commits into from
Dec 9, 2024

Conversation

vladimir-kovalyov
Copy link
Contributor

OAS: added bastion

@vladimir-kovalyov vladimir-kovalyov requested review from a team as code owners December 9, 2024 11:42
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 9, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 9, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/oas

Running Trivy in terraform/environments/oas
2024-12-09T11:44:55Z INFO [vulndb] Need to update DB
2024-12-09T11:44:55Z INFO [vulndb] Downloading vulnerability DB...
2024-12-09T11:44:55Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T11:44:57Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T11:44:57Z INFO [vuln] Vulnerability scanning is enabled
2024-12-09T11:44:57Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-09T11:44:57Z INFO [misconfig] Need to update the built-in checks
2024-12-09T11:44:57Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-09T11:44:59Z INFO [secret] Secret scanning is enabled
2024-12-09T11:44:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-09T11:44:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-09T11:45:00Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-09T11:45:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00029f301?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc001159a40, 0xc003fcbc50)
/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc001159a40)
/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc0050b5ae0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc0050b5ae0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc0050b5ae0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0050b5ae0, {0x58f3078, 0xc0015c9920})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc002ea2aa0, {0x58f3078, 0xc0015c9920}, 0xc000f28080)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc002ea2aa0, {0x58f3078, 0xc0015c9920}, 0xc0076883f0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002ea2aa0, {0x58f3078, 0xc0015c9920})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc00503c6e0, {0x58f3078, 0xc0015c9920}, 0xc007761d00)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc00503c6e0, {0x58f3078, 0xc0015c9920}, 0xc006704390)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc00503c6e0, {0x58f3078, 0xc0015c9920})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00663cfc0, {0x58f3078, 0xc0015c9920})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001722c60, {0x58f3078, 0xc0015c9920}, {0x58b12c0, 0xc000010de0}, {0x58959e8, 0x1})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc001802000, {0x58f3120, 0xc00054caf0}, {0x58b12c0, 0xc0006e54e8})
/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000cec040, {0x58f3120?, 0xc00054caf0?}, {{0x58b12c0?, 0xc0006e54e8?}, {0x9?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc001380910, {0xc001095000, 0x1f, 0x20}, {0xc000963400, 0x16, 0x20}, 0xc001102d20, {0x47ad91d, 0x7}}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffcdd9a3b51, 0x2c}, {0x7f8799d92498, 0xc000572340}, {0x58b11e0, 0x827fc80}, {0xc001380910, {0xc001095000, 0x1f, 0x20}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0xc000da2fa0, 0x2, 0x2}, {0xc000e6b840, ...}, ...})
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {_, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc000b17ee0, ...}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc0007b3b08, {0xc0005652c0, 0x1, 0xa})
/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc0007b3b08, {0xc000564dc0, 0xa, 0xa})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc0007b3208)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x13
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/oas

*****************************

Running Checkov in terraform/environments/oas
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-09 11:45:04,412 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-09 11:45:04,413 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 93, Failed checks: 39, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.default_oas
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "default_oas" {
		2 |   name = "${local.application_name}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch.tf:102-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "pagerduty_core_alerts" {
		103 |   depends_on = [
		104 |     module.cwalarm
		105 |   ]
		106 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		107 |   sns_topics                = [local.sns_topic_name]
		108 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		109 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oas_app_instance
	File: /ec2.tf:16-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		16 | resource "aws_instance" "oas_app_instance" {
		17 |   ami = local.application_data.accounts[local.environment].ec2amiid
		18 |   # associate_public_ip_address = false
		19 |   availability_zone = "eu-west-2a"
		20 |   ebs_optimized     = true
		21 |   instance_type     = local.application_data.accounts[local.environment].ec2instancetype
		22 |   # vpc_security_group_ids      = [aws_security_group.ec2.id]
		23 |   monitoring = true
		24 |   # subnet_id                   = data.aws_subnet.private_subnets_a.id
		25 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		26 |   user_data_replace_on_change = true
		27 |   user_data                   = base64encode(data.local_file.userdata.content)
		28 | 
		29 | 
		30 | 
		31 |   network_interface {
		32 |     network_interface_id = aws_network_interface.oas_eni.id
		33 |     device_index         = 0
		34 |   }
		35 | 
		36 |   root_block_device {
		37 |     delete_on_termination = false
		38 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		39 |     volume_size           = 40
		40 |     volume_type           = "gp2"
		41 |     tags = merge(
		42 |       local.tags,
		43 |       { "Name" = "${local.application_name}-root-volume" },
		44 |     )
		45 |   }
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "${local.application_name} Apps Server" },
		50 |     { "instance-scheduling" = "skip-scheduling" },
		51 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		52 |   )
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:266-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		266 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		267 |   #tfsec:ignore:aws-iam-no-policy-wildcards
		268 |   name = "${local.application_name}-ec2-policy"
		269 |   role = aws_iam_role.ec2_instance_role.id
		270 | 
		271 |   # Terraform's "jsonencode" function converts a
		272 |   # Terraform expression result to valid JSON syntax.
		273 |   policy = jsonencode({
		274 |     Version = "2012-10-17"
		275 |     Statement = [
		276 |       {
		277 |         Action = [
		278 |           "ec2:Describe*",
		279 |         ]
		280 |         Effect   = "Allow"
		281 |         Resource = "*"
		282 |       },
		283 |       {
		284 |         Effect = "Allow",
		285 |         Action = [
		286 |           "s3:ListBucket",
		287 |         ],
		288 |         Resource = [
		289 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001",
		290 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		291 |         ]
		292 |       },
		293 |       {
		294 |         Effect = "Allow",
		295 |         Action = [
		296 |           "s3:GetObject",
		297 |           "s3:PutObject",
		298 |           "s3:PutObjectAcl",
		299 |         ],
		300 |         Resource = [
		301 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		302 |         ]
		303 |       }
		304 |     ]
		305 |   })
		306 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.cwalarm.aws_sns_topic.alerting_topic
	File: /modules/cloudwatch/cloudwatch.tf:38-40
	Calling File: /cloudwatch.tf:94-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		38 | resource "aws_sns_topic" "alerting_topic" {
		39 |   name = var.snsTopicName
		40 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.allow_secret_manager
	File: /modules/rotate_secrets_lambda/main.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		117 | resource "aws_lambda_permission" "allow_secret_manager" {
		118 |   action        = "lambda:InvokeFunction"
		119 |   function_name = aws_lambda_function.rotate_secrets.function_name
		120 |   principal     = "secretsmanager.amazonaws.com"
		121 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rotate_secrets_lambda
	File: /modules/rotate_secrets_lambda/main.tf:123-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		123 | resource "aws_cloudwatch_log_group" "rotate_secrets_lambda" {
		124 |   name              = aws_lambda_function.rotate_secrets.function_name
		125 |   retention_in_days = var.log_group_retention_days
		126 |   lifecycle {
		127 |     prevent_destroy = true
		128 |   }
		129 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeORAHOME
	File: /ec2.tf:308-324
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		308 | resource "aws_ebs_volume" "EC2ServerVolumeORAHOME" {
		309 |   availability_zone = "eu-west-2a"
		310 |   size              = local.application_data.accounts[local.environment].orahomesize
		311 |   type              = "gp3"
		312 |   encrypted         = true
		313 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		314 |   snapshot_id       = local.application_data.accounts[local.environment].orahome_snapshot
		315 | 
		316 |   lifecycle {
		317 |     ignore_changes = [kms_key_id]
		318 |   }
		319 | 
		320 |   tags = merge(
		321 |     local.tags,
		322 |     { "Name" = "${local.application_name}-EC2ServerVolumeORAHOME" },
		323 |   )
		324 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeSTAGE
	File: /ec2.tf:332-348
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		332 | resource "aws_ebs_volume" "EC2ServerVolumeSTAGE" {
		333 |   availability_zone = "eu-west-2a"
		334 |   size              = local.application_data.accounts[local.environment].stageesize
		335 |   type              = "gp3"
		336 |   encrypted         = true
		337 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		338 |   snapshot_id       = local.application_data.accounts[local.environment].stage_snapshot
		339 | 
		340 |   lifecycle {
		341 |     ignore_changes = [kms_key_id]
		342 |   }
		343 | 
		344 |   tags = merge(
		345 |     local.tags,
		346 |     { "Name" = "${local.application_name}-EC2ServerVolumeSTAGE" },
		347 |   )
		348 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/oas

*****************************

Running tflint in terraform/environments/oas
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/ec2.tf line 1:
   1: data "local_file" "userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/weblogic.tf line 1:
   1: resource "random_password" "weblogic" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/oas

*****************************

Running Trivy in terraform/environments/oas
2024-12-09T11:44:55Z	INFO	[vulndb] Need to update DB
2024-12-09T11:44:55Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-09T11:44:55Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T11:44:57Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T11:44:57Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-09T11:44:57Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-09T11:44:57Z	INFO	[misconfig] Need to update the built-in checks
2024-12-09T11:44:57Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-09T11:44:59Z	INFO	[secret] Secret scanning is enabled
2024-12-09T11:44:59Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-09T11:44:59Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-09T11:45:00Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-09T11:45:00Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00029f301?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc001159a40, 0xc003fcbc50)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc001159a40)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc0050b5ae0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc0050b5ae0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc0050b5ae0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0050b5ae0, {0x58f3078, 0xc0015c9920})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc002ea2aa0, {0x58f3078, 0xc0015c9920}, 0xc000f28080)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc002ea2aa0, {0x58f3078, 0xc0015c9920}, 0xc0076883f0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002ea2aa0, {0x58f3078, 0xc0015c9920})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc00503c6e0, {0x58f3078, 0xc0015c9920}, 0xc007761d00)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc00503c6e0, {0x58f3078, 0xc0015c9920}, 0xc006704390)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc00503c6e0, {0x58f3078, 0xc0015c9920})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00663cfc0, {0x58f3078, 0xc0015c9920})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001722c60, {0x58f3078, 0xc0015c9920}, {0x58b12c0, 0xc000010de0}, {0x58959e8, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc001802000, {0x58f3120, 0xc00054caf0}, {0x58b12c0, 0xc0006e54e8})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000cec040, {0x58f3120?, 0xc00054caf0?}, {{0x58b12c0?, 0xc0006e54e8?}, {0x9?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc001380910, {0xc001095000, 0x1f, 0x20}, {0xc000963400, 0x16, 0x20}, 0xc001102d20, {0x47ad91d, 0x7}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffcdd9a3b51, 0x2c}, {0x7f8799d92498, 0xc000572340}, {0x58b11e0, 0x827fc80}, {0xc001380910, {0xc001095000, 0x1f, 0x20}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc000da2fa0, 0x2, 0x2}, {0xc000e6b840, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc000b17ee0, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc0007b3b08, {0xc0005652c0, 0x1, 0xa})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc0007b3b08, {0xc000564dc0, 0xa, 0xa})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc0007b3208)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 9, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/oas

Running Trivy in terraform/environments/oas
2024-12-09T13:19:13Z INFO [vulndb] Need to update DB
2024-12-09T13:19:13Z INFO [vulndb] Downloading vulnerability DB...
2024-12-09T13:19:13Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T13:19:15Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T13:19:15Z INFO [vuln] Vulnerability scanning is enabled
2024-12-09T13:19:15Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-09T13:19:15Z INFO [misconfig] Need to update the built-in checks
2024-12-09T13:19:15Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-09T13:19:17Z INFO [secret] Secret scanning is enabled
2024-12-09T13:19:17Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-09T13:19:17Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-09T13:19:18Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-09T13:19:18Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00029d301?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc0069961c0, 0xc004447710)
/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc0069961c0)
/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc004a7f540)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc004a7f540)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc004a7f540)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc004a7f540, {0x58f3078, 0xc00178da70})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc002fa7720, {0x58f3078, 0xc00178da70}, 0xc006a6abc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc002fa7720, {0x58f3078, 0xc00178da70}, 0xc004184c30)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002fa7720, {0x58f3078, 0xc00178da70})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc003c60320, {0x58f3078, 0xc00178da70}, 0xc00664d8c0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc003c60320, {0x58f3078, 0xc00178da70}, 0xc003e78270)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc003c60320, {0x58f3078, 0xc00178da70})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc0037f7e60, {0x58f3078, 0xc00178da70})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001188ab0, {0x58f3078, 0xc00178da70}, {0x58b12c0, 0xc000792720}, {0x58959e8, 0x1})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc00116f7c0, {0x58f3120, 0xc0009296c0}, {0x58b12c0, 0xc0014b0a50})
/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000fa55a0, {0x58f3120?, 0xc0009296c0?}, {{0x58b12c0?, 0xc0014b0a50?}, {0x9?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc000510fb0, {0xc000a27600, 0x1f, 0x20}, {0xc0008c6c00, 0x16, 0x20}, 0xc000e40f60, {0x47ad91d, 0x7}}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffe89472b50, 0x2c}, {0x7efe24c6f548, 0xc000369a80}, {0x58b11e0, 0x827fc80}, {0xc000510fb0, {0xc000a27600, 0x1f, 0x20}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0xc00095f320, 0x2, 0x2}, {0xc000a67340, ...}, ...})
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {_, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0006fcc60, ...}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000b11208, {0xc000eb7540, 0x1, 0xa})
/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000b11208, {0xc000eb7400, 0xa, 0xa})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000b10008)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x13
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/oas

*****************************

Running Checkov in terraform/environments/oas
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-09 13:19:21,577 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-09 13:19:21,577 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 93, Failed checks: 39, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.default_oas
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "default_oas" {
		2 |   name = "${local.application_name}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch.tf:102-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "pagerduty_core_alerts" {
		103 |   depends_on = [
		104 |     module.cwalarm
		105 |   ]
		106 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		107 |   sns_topics                = [local.sns_topic_name]
		108 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		109 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oas_app_instance
	File: /ec2.tf:16-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		16 | resource "aws_instance" "oas_app_instance" {
		17 |   ami = local.application_data.accounts[local.environment].ec2amiid
		18 |   # associate_public_ip_address = false
		19 |   availability_zone = "eu-west-2a"
		20 |   ebs_optimized     = true
		21 |   instance_type     = local.application_data.accounts[local.environment].ec2instancetype
		22 |   # vpc_security_group_ids      = [aws_security_group.ec2.id]
		23 |   monitoring = true
		24 |   # subnet_id                   = data.aws_subnet.private_subnets_a.id
		25 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		26 |   user_data_replace_on_change = true
		27 |   user_data                   = base64encode(data.local_file.userdata.content)
		28 | 
		29 | 
		30 | 
		31 |   network_interface {
		32 |     network_interface_id = aws_network_interface.oas_eni.id
		33 |     device_index         = 0
		34 |   }
		35 | 
		36 |   root_block_device {
		37 |     delete_on_termination = false
		38 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		39 |     volume_size           = 40
		40 |     volume_type           = "gp2"
		41 |     tags = merge(
		42 |       local.tags,
		43 |       { "Name" = "${local.application_name}-root-volume" },
		44 |     )
		45 |   }
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "${local.application_name} Apps Server" },
		50 |     { "instance-scheduling" = "skip-scheduling" },
		51 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		52 |   )
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:273-313
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		273 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		274 |   #tfsec:ignore:aws-iam-no-policy-wildcards
		275 |   name = "${local.application_name}-ec2-policy"
		276 |   role = aws_iam_role.ec2_instance_role.id
		277 | 
		278 |   # Terraform's "jsonencode" function converts a
		279 |   # Terraform expression result to valid JSON syntax.
		280 |   policy = jsonencode({
		281 |     Version = "2012-10-17"
		282 |     Statement = [
		283 |       {
		284 |         Action = [
		285 |           "ec2:Describe*",
		286 |         ]
		287 |         Effect   = "Allow"
		288 |         Resource = "*"
		289 |       },
		290 |       {
		291 |         Effect = "Allow",
		292 |         Action = [
		293 |           "s3:ListBucket",
		294 |         ],
		295 |         Resource = [
		296 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001",
		297 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		298 |         ]
		299 |       },
		300 |       {
		301 |         Effect = "Allow",
		302 |         Action = [
		303 |           "s3:GetObject",
		304 |           "s3:PutObject",
		305 |           "s3:PutObjectAcl",
		306 |         ],
		307 |         Resource = [
		308 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		309 |         ]
		310 |       }
		311 |     ]
		312 |   })
		313 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.cwalarm.aws_sns_topic.alerting_topic
	File: /modules/cloudwatch/cloudwatch.tf:38-40
	Calling File: /cloudwatch.tf:94-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		38 | resource "aws_sns_topic" "alerting_topic" {
		39 |   name = var.snsTopicName
		40 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.allow_secret_manager
	File: /modules/rotate_secrets_lambda/main.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		117 | resource "aws_lambda_permission" "allow_secret_manager" {
		118 |   action        = "lambda:InvokeFunction"
		119 |   function_name = aws_lambda_function.rotate_secrets.function_name
		120 |   principal     = "secretsmanager.amazonaws.com"
		121 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rotate_secrets_lambda
	File: /modules/rotate_secrets_lambda/main.tf:123-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		123 | resource "aws_cloudwatch_log_group" "rotate_secrets_lambda" {
		124 |   name              = aws_lambda_function.rotate_secrets.function_name
		125 |   retention_in_days = var.log_group_retention_days
		126 |   lifecycle {
		127 |     prevent_destroy = true
		128 |   }
		129 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeORAHOME
	File: /ec2.tf:315-331
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		315 | resource "aws_ebs_volume" "EC2ServerVolumeORAHOME" {
		316 |   availability_zone = "eu-west-2a"
		317 |   size              = local.application_data.accounts[local.environment].orahomesize
		318 |   type              = "gp3"
		319 |   encrypted         = true
		320 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		321 |   snapshot_id       = local.application_data.accounts[local.environment].orahome_snapshot
		322 | 
		323 |   lifecycle {
		324 |     ignore_changes = [kms_key_id]
		325 |   }
		326 | 
		327 |   tags = merge(
		328 |     local.tags,
		329 |     { "Name" = "${local.application_name}-EC2ServerVolumeORAHOME" },
		330 |   )
		331 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeSTAGE
	File: /ec2.tf:339-355
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		339 | resource "aws_ebs_volume" "EC2ServerVolumeSTAGE" {
		340 |   availability_zone = "eu-west-2a"
		341 |   size              = local.application_data.accounts[local.environment].stageesize
		342 |   type              = "gp3"
		343 |   encrypted         = true
		344 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		345 |   snapshot_id       = local.application_data.accounts[local.environment].stage_snapshot
		346 | 
		347 |   lifecycle {
		348 |     ignore_changes = [kms_key_id]
		349 |   }
		350 | 
		351 |   tags = merge(
		352 |     local.tags,
		353 |     { "Name" = "${local.application_name}-EC2ServerVolumeSTAGE" },
		354 |   )
		355 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/oas

*****************************

Running tflint in terraform/environments/oas
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/ec2.tf line 1:
   1: data "local_file" "userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/weblogic.tf line 1:
   1: resource "random_password" "weblogic" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/oas

*****************************

Running Trivy in terraform/environments/oas
2024-12-09T13:19:13Z	INFO	[vulndb] Need to update DB
2024-12-09T13:19:13Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-09T13:19:13Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T13:19:15Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T13:19:15Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-09T13:19:15Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-09T13:19:15Z	INFO	[misconfig] Need to update the built-in checks
2024-12-09T13:19:15Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-09T13:19:17Z	INFO	[secret] Secret scanning is enabled
2024-12-09T13:19:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-09T13:19:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-09T13:19:18Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-09T13:19:18Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00029d301?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc0069961c0, 0xc004447710)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc0069961c0)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc004a7f540)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc004a7f540)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc004a7f540)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc004a7f540, {0x58f3078, 0xc00178da70})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc002fa7720, {0x58f3078, 0xc00178da70}, 0xc006a6abc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc002fa7720, {0x58f3078, 0xc00178da70}, 0xc004184c30)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc002fa7720, {0x58f3078, 0xc00178da70})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc003c60320, {0x58f3078, 0xc00178da70}, 0xc00664d8c0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc003c60320, {0x58f3078, 0xc00178da70}, 0xc003e78270)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc003c60320, {0x58f3078, 0xc00178da70})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc0037f7e60, {0x58f3078, 0xc00178da70})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001188ab0, {0x58f3078, 0xc00178da70}, {0x58b12c0, 0xc000792720}, {0x58959e8, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc00116f7c0, {0x58f3120, 0xc0009296c0}, {0x58b12c0, 0xc0014b0a50})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000fa55a0, {0x58f3120?, 0xc0009296c0?}, {{0x58b12c0?, 0xc0014b0a50?}, {0x9?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc000510fb0, {0xc000a27600, 0x1f, 0x20}, {0xc0008c6c00, 0x16, 0x20}, 0xc000e40f60, {0x47ad91d, 0x7}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffe89472b50, 0x2c}, {0x7efe24c6f548, 0xc000369a80}, {0x58b11e0, 0x827fc80}, {0xc000510fb0, {0xc000a27600, 0x1f, 0x20}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc00095f320, 0x2, 0x2}, {0xc000a67340, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0006fcc60, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000b11208, {0xc000eb7540, 0x1, 0xa})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000b11208, {0xc000eb7400, 0xa, 0xa})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000b10008)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 9, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/oas

Running Trivy in terraform/environments/oas
2024-12-09T14:04:49Z INFO [vulndb] Need to update DB
2024-12-09T14:04:49Z INFO [vulndb] Downloading vulnerability DB...
2024-12-09T14:04:49Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T14:04:51Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T14:04:51Z INFO [vuln] Vulnerability scanning is enabled
2024-12-09T14:04:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-09T14:04:51Z INFO [misconfig] Need to update the built-in checks
2024-12-09T14:04:51Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-09T14:04:52Z INFO [secret] Secret scanning is enabled
2024-12-09T14:04:52Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-09T14:04:52Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-09T14:04:54Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-09T14:04:54Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00028f2b1?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc003308540, 0xc009e967e0)
/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc003308540)
/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc00896ba40)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc00896ba40)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc00896ba40)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc00896ba40, {0x58f3078, 0xc0034f74d0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc0087b05a0, {0x58f3078, 0xc0034f74d0}, 0xc0011ea840)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc0087b05a0, {0x58f3078, 0xc0034f74d0}, 0xc00364b0e0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0087b05a0, {0x58f3078, 0xc0034f74d0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc006a19ae0, {0x58f3078, 0xc0034f74d0}, 0xc00745a540)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc006a19ae0, {0x58f3078, 0xc0034f74d0}, 0xc00c3f8870)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc006a19ae0, {0x58f3078, 0xc0034f74d0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00bf47e60, {0x58f3078, 0xc0034f74d0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001571200, {0x58f3078, 0xc0034f74d0}, {0x58b12c0, 0xc00402c6a8}, {0x58959e8, 0x1})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc001572280, {0x58f3120, 0xc0007ad030}, {0x58b12c0, 0xc001c3c5b8})
/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc00150f780, {0x58f3120?, 0xc0007ad030?}, {{0x58b12c0?, 0xc001c3c5b8?}, {0x9?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc000354e80, {0xc000600a00, 0x1f, 0x20}, {0xc0015e8400, 0x16, 0x20}, 0xc00105af60, {0x47ad91d, 0x7}}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffca40bfb50, 0x2c}, {0x7f9b7cae78c0, 0xc000d9a100}, {0x58b11e0, 0x827fc80}, {0xc000354e80, {0xc000600a00, 0x1f, 0x20}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0xc000af7a20, 0x2, 0x2}, {0xc001029c00, ...}, ...})
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {_, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc000720ba0, ...}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc00078f508, {0xc0006fd860, 0x1, 0xa})
/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc00078f508, {0xc0006fd360, 0xa, 0xa})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc00078ec08)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x13
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/oas

*****************************

Running Checkov in terraform/environments/oas
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-09 14:04:57,730 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-09 14:04:57,730 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 93, Failed checks: 39, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.default_oas
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "default_oas" {
		2 |   name = "${local.application_name}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch.tf:102-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "pagerduty_core_alerts" {
		103 |   depends_on = [
		104 |     module.cwalarm
		105 |   ]
		106 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		107 |   sns_topics                = [local.sns_topic_name]
		108 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		109 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oas_app_instance
	File: /ec2.tf:16-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		16 | resource "aws_instance" "oas_app_instance" {
		17 |   ami = local.application_data.accounts[local.environment].ec2amiid
		18 |   # associate_public_ip_address = false
		19 |   availability_zone = "eu-west-2a"
		20 |   ebs_optimized     = true
		21 |   instance_type     = local.application_data.accounts[local.environment].ec2instancetype
		22 |   # vpc_security_group_ids      = [aws_security_group.ec2.id]
		23 |   monitoring = true
		24 |   # subnet_id                   = data.aws_subnet.private_subnets_a.id
		25 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		26 |   user_data_replace_on_change = true
		27 |   user_data                   = base64encode(data.local_file.userdata.content)
		28 | 
		29 | 
		30 | 
		31 |   network_interface {
		32 |     network_interface_id = aws_network_interface.oas_eni.id
		33 |     device_index         = 0
		34 |   }
		35 | 
		36 |   root_block_device {
		37 |     delete_on_termination = false
		38 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		39 |     volume_size           = 40
		40 |     volume_type           = "gp2"
		41 |     tags = merge(
		42 |       local.tags,
		43 |       { "Name" = "${local.application_name}-root-volume" },
		44 |     )
		45 |   }
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "${local.application_name} Apps Server" },
		50 |     { "instance-scheduling" = "skip-scheduling" },
		51 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		52 |   )
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:273-313
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		273 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		274 |   #tfsec:ignore:aws-iam-no-policy-wildcards
		275 |   name = "${local.application_name}-ec2-policy"
		276 |   role = aws_iam_role.ec2_instance_role.id
		277 | 
		278 |   # Terraform's "jsonencode" function converts a
		279 |   # Terraform expression result to valid JSON syntax.
		280 |   policy = jsonencode({
		281 |     Version = "2012-10-17"
		282 |     Statement = [
		283 |       {
		284 |         Action = [
		285 |           "ec2:Describe*",
		286 |         ]
		287 |         Effect   = "Allow"
		288 |         Resource = "*"
		289 |       },
		290 |       {
		291 |         Effect = "Allow",
		292 |         Action = [
		293 |           "s3:ListBucket",
		294 |         ],
		295 |         Resource = [
		296 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001",
		297 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		298 |         ]
		299 |       },
		300 |       {
		301 |         Effect = "Allow",
		302 |         Action = [
		303 |           "s3:GetObject",
		304 |           "s3:PutObject",
		305 |           "s3:PutObjectAcl",
		306 |         ],
		307 |         Resource = [
		308 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		309 |         ]
		310 |       }
		311 |     ]
		312 |   })
		313 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.cwalarm.aws_sns_topic.alerting_topic
	File: /modules/cloudwatch/cloudwatch.tf:38-40
	Calling File: /cloudwatch.tf:94-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		38 | resource "aws_sns_topic" "alerting_topic" {
		39 |   name = var.snsTopicName
		40 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.allow_secret_manager
	File: /modules/rotate_secrets_lambda/main.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		117 | resource "aws_lambda_permission" "allow_secret_manager" {
		118 |   action        = "lambda:InvokeFunction"
		119 |   function_name = aws_lambda_function.rotate_secrets.function_name
		120 |   principal     = "secretsmanager.amazonaws.com"
		121 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rotate_secrets_lambda
	File: /modules/rotate_secrets_lambda/main.tf:123-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		123 | resource "aws_cloudwatch_log_group" "rotate_secrets_lambda" {
		124 |   name              = aws_lambda_function.rotate_secrets.function_name
		125 |   retention_in_days = var.log_group_retention_days
		126 |   lifecycle {
		127 |     prevent_destroy = true
		128 |   }
		129 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeORAHOME
	File: /ec2.tf:315-331
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		315 | resource "aws_ebs_volume" "EC2ServerVolumeORAHOME" {
		316 |   availability_zone = "eu-west-2a"
		317 |   size              = local.application_data.accounts[local.environment].orahomesize
		318 |   type              = "gp3"
		319 |   encrypted         = true
		320 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		321 |   snapshot_id       = local.application_data.accounts[local.environment].orahome_snapshot
		322 | 
		323 |   lifecycle {
		324 |     ignore_changes = [kms_key_id]
		325 |   }
		326 | 
		327 |   tags = merge(
		328 |     local.tags,
		329 |     { "Name" = "${local.application_name}-EC2ServerVolumeORAHOME" },
		330 |   )
		331 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeSTAGE
	File: /ec2.tf:339-355
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		339 | resource "aws_ebs_volume" "EC2ServerVolumeSTAGE" {
		340 |   availability_zone = "eu-west-2a"
		341 |   size              = local.application_data.accounts[local.environment].stageesize
		342 |   type              = "gp3"
		343 |   encrypted         = true
		344 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		345 |   snapshot_id       = local.application_data.accounts[local.environment].stage_snapshot
		346 | 
		347 |   lifecycle {
		348 |     ignore_changes = [kms_key_id]
		349 |   }
		350 | 
		351 |   tags = merge(
		352 |     local.tags,
		353 |     { "Name" = "${local.application_name}-EC2ServerVolumeSTAGE" },
		354 |   )
		355 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/oas

*****************************

Running tflint in terraform/environments/oas
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/ec2.tf line 1:
   1: data "local_file" "userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/weblogic.tf line 1:
   1: resource "random_password" "weblogic" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/oas

*****************************

Running Trivy in terraform/environments/oas
2024-12-09T14:04:49Z	INFO	[vulndb] Need to update DB
2024-12-09T14:04:49Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-09T14:04:49Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T14:04:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-09T14:04:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-09T14:04:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-09T14:04:51Z	INFO	[misconfig] Need to update the built-in checks
2024-12-09T14:04:51Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-09T14:04:52Z	INFO	[secret] Secret scanning is enabled
2024-12-09T14:04:52Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-09T14:04:52Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-09T14:04:54Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-09T14:04:54Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00028f2b1?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc003308540, 0xc009e967e0)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc003308540)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc00896ba40)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc00896ba40)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc00896ba40)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc00896ba40, {0x58f3078, 0xc0034f74d0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc0087b05a0, {0x58f3078, 0xc0034f74d0}, 0xc0011ea840)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc0087b05a0, {0x58f3078, 0xc0034f74d0}, 0xc00364b0e0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0087b05a0, {0x58f3078, 0xc0034f74d0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc006a19ae0, {0x58f3078, 0xc0034f74d0}, 0xc00745a540)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc006a19ae0, {0x58f3078, 0xc0034f74d0}, 0xc00c3f8870)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc006a19ae0, {0x58f3078, 0xc0034f74d0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00bf47e60, {0x58f3078, 0xc0034f74d0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001571200, {0x58f3078, 0xc0034f74d0}, {0x58b12c0, 0xc00402c6a8}, {0x58959e8, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc001572280, {0x58f3120, 0xc0007ad030}, {0x58b12c0, 0xc001c3c5b8})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc00150f780, {0x58f3120?, 0xc0007ad030?}, {{0x58b12c0?, 0xc001c3c5b8?}, {0x9?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc000354e80, {0xc000600a00, 0x1f, 0x20}, {0xc0015e8400, 0x16, 0x20}, 0xc00105af60, {0x47ad91d, 0x7}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffca40bfb50, 0x2c}, {0x7f9b7cae78c0, 0xc000d9a100}, {0x58b11e0, 0x827fc80}, {0xc000354e80, {0xc000600a00, 0x1f, 0x20}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc000af7a20, 0x2, 0x2}, {0xc001029c00, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc000720ba0, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc00078f508, {0xc0006fd860, 0x1, 0xa})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc00078f508, {0xc0006fd360, 0xa, 0xa})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc00078ec08)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

@vladimir-kovalyov vladimir-kovalyov merged commit feb227f into main Dec 9, 2024
11 of 16 checks passed
@vladimir-kovalyov vladimir-kovalyov deleted the TM-810 branch December 9, 2024 18:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SteveLinden SteveLinden SteveLinden approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vladimir-kovalyov @SteveLinden