Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal to remove cloudposse #91

Merged
merged 55 commits into from
Mar 28, 2024
Merged

Proposal to remove cloudposse #91

merged 55 commits into from
Mar 28, 2024

Conversation

georgepstaylor
Copy link
Member

@georgepstaylor georgepstaylor commented Mar 12, 2024

As it stands the 'module' is mostly an opinionated wrapper to 2 cloudposse modules https://github.com/cloudposse/terraform-aws-ecs-alb-service-task and https://github.com/cloudposse/terraform-aws-ecs-container-definition. One of the agreements (set by MP) for using them was that we had to copy the code into the repo rather than call them remotely.

This PR completely removes all references to cloudposse and essentially re-writes it using plain old terraform resources.
Reasons why I want to do this:

  • using 3rd party modules but just copying the code makes it incredibly messy to update against the upstream

  • the feature to ignore task definition changes doesn't work

  • overall simplicity

This is a breaking change, but currently all consumers of this are using pinned to a version/release.

@georgepstaylor georgepstaylor requested a review from a team as a code owner March 12, 2024 20:18
Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 127.836µs
parsing 2.926704ms
adaptation 180.218µs
checks 8.30356ms
total 11.538318ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 28
files read 7

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 20:20:13,780 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 17, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   network_mode = "awsvpc"
		7  | 
		8  |   dynamic "volume" {
		9  |     for_each = var.efs_volumes
		10 |     content {
		11 |       host_path = lookup(volume.value, "host_path", null)
		12 |       name      = volume.value.name
		13 | 
		14 |       dynamic "efs_volume_configuration" {
		15 |         for_each = volume.value
		16 | 
		17 |         content {
		18 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		19 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		20 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		21 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		22 | 
		23 |           dynamic "authorization_config" {
		24 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		25 |             content {
		26 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		27 |               iam             = lookup(authorization_config.value, "iam", null)
		28 |             }
		29 |           }
		30 |         }
		31 |       }
		32 |     }
		33 |   }
		34 |   tags = var.tags
		35 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:37-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		37 | resource "aws_ecs_task_definition" "ignore_changes" {
		38 |   count                 = var.ignore_changes ? 0 : 1
		39 |   container_definitions = var.container_definitions
		40 |   family                = var.name
		41 | 
		42 |   network_mode = "awsvpc"
		43 | 
		44 |   ephemeral_storage {
		45 |     size_in_gib = var.ephemeral_storage_size_in_gib
		46 |   }
		47 | 
		48 |   dynamic "volume" {
		49 |     for_each = var.efs_volumes
		50 |     content {
		51 |       host_path = lookup(volume.value, "host_path", null)
		52 |       name      = volume.value.name
		53 | 
		54 |       dynamic "efs_volume_configuration" {
		55 |         for_each = volume.value
		56 | 
		57 |         content {
		58 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		59 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		60 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		61 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		62 | 
		63 |           dynamic "authorization_config" {
		64 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		65 |             content {
		66 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		67 |               iam             = lookup(authorization_config.value, "iam", null)
		68 |             }
		69 |           }
		70 |         }
		71 |       }
		72 |     }
		73 |   }
		74 |   tags = var.tags
		75 | 
		76 |   lifecycle {
		77 |     ignore_changes = [container_definitions]
		78 |   }
		79 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 133.54µs
parsing 1.48336ms
adaptation 108.423µs
checks 11.075538ms
total 12.800861ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 32
files read 7

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 20:28:35,161 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 17, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.execution_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   task_cpu    = var.task_cpu
		12 |   task_memory = var.task_memory
		13 | 
		14 |   dynamic "volume" {
		15 |     for_each = var.efs_volumes
		16 |     content {
		17 |       host_path = lookup(volume.value, "host_path", null)
		18 |       name      = volume.value.name
		19 | 
		20 |       dynamic "efs_volume_configuration" {
		21 |         for_each = volume.value
		22 | 
		23 |         content {
		24 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		25 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		26 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		27 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		28 | 
		29 |           dynamic "authorization_config" {
		30 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		31 |             content {
		32 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		33 |               iam             = lookup(authorization_config.value, "iam", null)
		34 |             }
		35 |           }
		36 |         }
		37 |       }
		38 |     }
		39 |   }
		40 |   tags = var.tags
		41 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:43-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		43 | resource "aws_ecs_task_definition" "ignore_changes" {
		44 |   count                 = var.ignore_changes ? 0 : 1
		45 |   container_definitions = var.container_definitions
		46 |   family                = var.name
		47 | 
		48 |   task_role_arn      = var.task_role_arn
		49 |   execution_role_arn = var.execution_role_arn
		50 | 
		51 |   network_mode = "awsvpc"
		52 | 
		53 |   task_cpu    = var.task_cpu
		54 |   task_memory = var.task_memory
		55 | 
		56 |   ephemeral_storage {
		57 |     size_in_gib = var.ephemeral_storage_size_in_gib
		58 |   }
		59 | 
		60 |   dynamic "volume" {
		61 |     for_each = var.efs_volumes
		62 |     content {
		63 |       host_path = lookup(volume.value, "host_path", null)
		64 |       name      = volume.value.name
		65 | 
		66 |       dynamic "efs_volume_configuration" {
		67 |         for_each = volume.value
		68 | 
		69 |         content {
		70 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		71 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		72 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		73 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		74 | 
		75 |           dynamic "authorization_config" {
		76 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		77 |             content {
		78 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		79 |               iam             = lookup(authorization_config.value, "iam", null)
		80 |             }
		81 |           }
		82 |         }
		83 |       }
		84 |     }
		85 |   }
		86 |   tags = var.tags
		87 | 
		88 |   lifecycle {
		89 |     ignore_changes = [container_definitions]
		90 |   }
		91 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 130.624µs
parsing 1.498481ms
adaptation 128.589µs
checks 11.32459ms
total 13.082284ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 33
files read 7

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 20:37:48,027 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 17, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.execution_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   task_cpu    = var.task_cpu
		12 |   task_memory = var.task_memory
		13 | 
		14 |   dynamic "volume" {
		15 |     for_each = var.efs_volumes
		16 |     content {
		17 |       host_path = lookup(volume.value, "host_path", null)
		18 |       name      = volume.value.name
		19 | 
		20 |       dynamic "efs_volume_configuration" {
		21 |         for_each = volume.value
		22 | 
		23 |         content {
		24 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		25 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		26 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		27 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		28 | 
		29 |           dynamic "authorization_config" {
		30 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		31 |             content {
		32 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		33 |               iam             = lookup(authorization_config.value, "iam", null)
		34 |             }
		35 |           }
		36 |         }
		37 |       }
		38 |     }
		39 |   }
		40 |   tags = var.tags
		41 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:43-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		43 | resource "aws_ecs_task_definition" "ignore_changes" {
		44 |   count                 = var.ignore_changes ? 0 : 1
		45 |   container_definitions = var.container_definitions
		46 |   family                = var.name
		47 | 
		48 |   task_role_arn      = var.task_role_arn
		49 |   execution_role_arn = var.execution_role_arn
		50 | 
		51 |   network_mode = "awsvpc"
		52 | 
		53 |   task_cpu    = var.task_cpu
		54 |   task_memory = var.task_memory
		55 | 
		56 |   ephemeral_storage {
		57 |     size_in_gib = var.ephemeral_storage_size_in_gib
		58 |   }
		59 | 
		60 |   dynamic "volume" {
		61 |     for_each = var.efs_volumes
		62 |     content {
		63 |       host_path = lookup(volume.value, "host_path", null)
		64 |       name      = volume.value.name
		65 | 
		66 |       dynamic "efs_volume_configuration" {
		67 |         for_each = volume.value
		68 | 
		69 |         content {
		70 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		71 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		72 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		73 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		74 | 
		75 |           dynamic "authorization_config" {
		76 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		77 |             content {
		78 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		79 |               iam             = lookup(authorization_config.value, "iam", null)
		80 |             }
		81 |           }
		82 |         }
		83 |       }
		84 |     }
		85 |   }
		86 |   tags = var.tags
		87 | 
		88 |   lifecycle {
		89 |     ignore_changes = [container_definitions]
		90 |   }
		91 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 123.188µs
parsing 1.520962ms
adaptation 131.334µs
checks 12.366308ms
total 14.141792ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 33
files read 7

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 20:39:53,986 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 17, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 0 : 1
		44 |   container_definitions = var.container_definitions
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 154.169µs
parsing 1.602892ms
adaptation 138.228µs
checks 11.023222ms
total 12.918511ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 32
files read 7

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 20:42:21,500 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 17, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 0 : 1
		44 |   container_definitions = var.container_definitions
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 138.678µs
parsing 1.833089ms
adaptation 120.134µs
checks 7.070757ms
total 9.162658ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 2
blocks processed 31
files read 7

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 20:44:17,649 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 17, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 0 : 1
		44 |   container_definitions = var.container_definitions
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 181.873µs
parsing 2.353914ms
adaptation 159.527µs
checks 14.908216ms
total 17.60353ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 46
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 21:45:33,147 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 0 : 1
		44 |   container_definitions = var.container_definitions
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 197.078µs
parsing 2.590218ms
adaptation 143.609µs
checks 13.407526ms
total 16.338431ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 46
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 21:49:40,256 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 0 : 1
		44 |   container_definitions = var.container_definitions
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 220.813µs
parsing 2.411354ms
adaptation 159.589µs
checks 13.614682ms
total 16.406438ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 46
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 21:55:21,407 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = var.container_definitions
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = var.container_definitions
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 204.635µs
parsing 2.483952ms
adaptation 149.28µs
checks 12.491117ms
total 15.328984ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 46
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 21:59:26,193 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 189.602µs
parsing 3.395017ms
adaptation 158.644µs
checks 14.425701ms
total 18.168964ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 46
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 22:13:44,625 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 186.368µs
parsing 2.68718ms
adaptation 130.063µs
checks 14.254901ms
total 17.258512ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 47
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 22:15:44,160 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Error: scan failed: github/workspace/container/main.tf:15,76-77: Missing item separator; Expected a comma to mark the beginning of the next item.
tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 22:38:46,123 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2, Parsing errors: 1

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Error: scan failed: github/workspace/container/main.tf:15,76-77: Missing item separator; Expected a comma to mark the beginning of the next item.
tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 22:39:50,432 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2, Parsing errors: 1

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 194.393µs
parsing 2.92357ms
adaptation 153.555µs
checks 17.246463ms
total 20.517981ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 49
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 22:40:55,941 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 176.408µs
parsing 2.74701ms
adaptation 134.961µs
checks 17.101267ms
total 20.159646ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 49
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-13 22:44:48,494 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
.


Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 LOW Cluster does not have container insights enabled.
────────────────────────────────────────────────────────────────────────────────
cluster/main.tf:6
────────────────────────────────────────────────────────────────────────────────
1 resource "aws_ecs_cluster" "this" {
2 name = var.name
3 tags = var.tags
4 setting {
5 name = "containerInsights"
6 [ value = var.enable_container_insights
7 }
8 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ecs-enable-container-insight
Impact Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
Resolution Enable Container Insights

More Information

timings
──────────────────────────────────────────
disk i/o 174.696µs
parsing 2.811773ms
adaptation 150.733µs
checks 14.833915ms
total 17.971117ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 3
blocks processed 50
files read 10

results
──────────────────────────────────────────
passed 0
ignored 0
critical 0
high 0
medium 0
low 1

1 potential problem(s) detected.

tfsec_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-15 12:32:26,514 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 19, Failed checks: 3, Skipped checks: 2

Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
	FAILED for resource: aws_ecs_cluster.this
	File: /cluster/main.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11

		1 | resource "aws_ecs_cluster" "this" {
		2 |   name = var.name
		3 |   tags = var.tags
		4 |   setting {
		5 |     name  = "containerInsights"
		6 |     value = var.enable_container_insights
		7 |   }
		8 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.default
	File: /service/task_def.tf:1-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		1  | resource "aws_ecs_task_definition" "default" {
		2  |   count                 = var.ignore_changes || var.ignore_changes_service_task_definition == false ? 0 : 1
		3  |   container_definitions = nonsensitive(var.container_definitions)
		4  |   family                = var.name
		5  | 
		6  |   task_role_arn      = var.task_role_arn
		7  |   execution_role_arn = var.task_exec_role_arn
		8  | 
		9  |   network_mode = "awsvpc"
		10 | 
		11 |   cpu    = var.task_cpu
		12 |   memory = var.task_memory
		13 |   dynamic "volume" {
		14 |     for_each = var.efs_volumes
		15 |     content {
		16 |       host_path = lookup(volume.value, "host_path", null)
		17 |       name      = volume.value.name
		18 | 
		19 |       dynamic "efs_volume_configuration" {
		20 |         for_each = volume.value
		21 | 
		22 |         content {
		23 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		24 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		25 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		26 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		27 | 
		28 |           dynamic "authorization_config" {
		29 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		30 |             content {
		31 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		32 |               iam             = lookup(authorization_config.value, "iam", null)
		33 |             }
		34 |           }
		35 |         }
		36 |       }
		37 |     }
		38 |   }
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_97: "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions"
	FAILED for resource: aws_ecs_task_definition.ignore_changes
	File: /service/task_def.tf:42-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-39

		42 | resource "aws_ecs_task_definition" "ignore_changes" {
		43 |   count                 = var.ignore_changes || var.ignore_changes_service_task_definition == false ? 1 : 0
		44 |   container_definitions = nonsensitive(var.container_definitions)
		45 |   family                = var.name
		46 | 
		47 |   task_role_arn      = var.task_role_arn
		48 |   execution_role_arn = var.task_exec_role_arn
		49 | 
		50 |   network_mode = "awsvpc"
		51 | 
		52 |   cpu    = var.task_cpu
		53 |   memory = var.task_memory
		54 | 
		55 |   ephemeral_storage {
		56 |     size_in_gib = var.ephemeral_storage_size_in_gib
		57 |   }
		58 | 
		59 |   dynamic "volume" {
		60 |     for_each = var.efs_volumes
		61 |     content {
		62 |       host_path = lookup(volume.value, "host_path", null)
		63 |       name      = volume.value.name
		64 | 
		65 |       dynamic "efs_volume_configuration" {
		66 |         for_each = volume.value
		67 | 
		68 |         content {
		69 |           file_system_id          = lookup(efs_volume_configuration.value, "file_system_id", null)
		70 |           root_directory          = lookup(efs_volume_configuration.value, "root_directory", null)
		71 |           transit_encryption      = lookup(efs_volume_configuration.value, "transit_encryption", null)
		72 |           transit_encryption_port = lookup(efs_volume_configuration.value, "transit_encryption_port", null)
		73 | 
		74 |           dynamic "authorization_config" {
		75 |             for_each = lookup(efs_volume_configuration.value, "authorization_config", [])
		76 |             content {
		77 |               access_point_id = lookup(authorization_config.value, "access_point_id", null)
		78 |               iam             = lookup(authorization_config.value, "iam", null)
		79 |             }
		80 |           }
		81 |         }
		82 |       }
		83 |     }
		84 |   }
		85 |   tags = var.tags
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [container_definitions]
		89 |   }
		90 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output

Copy link
Contributor

@richgreen-moj richgreen-moj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed/explained here
LGTM

@georgepstaylor georgepstaylor merged commit 519c56c into main Mar 28, 2024
2 of 4 checks passed
@georgepstaylor georgepstaylor deleted the remove-cloudposse branch March 28, 2024 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants