Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LAWS-3514: added module for s3 bucket in apex #3667

Merged
merged 95 commits into from
Oct 26, 2023

Conversation

tajewole-moj
Copy link
Contributor

No description provided.

@tajewole-moj tajewole-moj requested review from a team as code owners October 16, 2023 11:04
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 16, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@tmahmood72 tmahmood72 temporarily deployed to apex-development October 16, 2023 11:11 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/wardship

*****************************

Running TFSEC in terraform/environments/wardship
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:236
────────────────────────────────────────────────────────────────────────────────
  220    resource "aws_security_group" "ecs_service" {
  ...  
  236  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  238    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-7 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:19-34
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   19  ┌     cidr_blocks = [
   20"194.33.193.0/25",
   21"179.50.12.212/32",
   22"93.56.171.15/32",
   23"52.67.148.55/32",
   24"194.33.197.0/25",
   25"213.121.161.124/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-52 (aws_security_group.wardship_lb_sc) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:42
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   42  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:50
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   50  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "wardship_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_wardship_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:76
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   76  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   79    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:155-160
────────────────────────────────────────────────────────────────────────────────
  146    resource "aws_iam_role_policy" "app_execution" {
  ...  
  155"Action": [
  156"ecr:*",
  157"logs:CreateLogStream",
  158"logs:PutLogEvents",
  159"secretsmanager:GetSecretValue"
  160  └            ],
  ...  
  167    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:161
────────────────────────────────────────────────────────────────────────────────
  146    resource "aws_iam_role_policy" "app_execution" {
  ...  
  161  [            "Resource": "*",
  ...  
  167    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-17 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:206-212
────────────────────────────────────────────────────────────────────────────────
  196    resource "aws_iam_role_policy" "app_task" {
  ...  
  206"Action": [
  207"logs:CreateLogStream",
  208"logs:PutLogEvents",
  209"ecr:*",
  210"iam:*",
  211"ec2:*"
  212  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:196-218 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #18 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:213
────────────────────────────────────────────────────────────────────────────────
  196    resource "aws_iam_role_policy" "app_task" {
  ...  
  213  [        "Resource": "*"
  ...  
  218    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:240-243
────────────────────────────────────────────────────────────────────────────────
  240    resource "aws_ecr_repository" "wardship_ecr_repo" {
  241      name         = "wardship-ecr-repo"
  242      force_delete = true
  243    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:240-243
────────────────────────────────────────────────────────────────────────────────
  240    resource "aws_ecr_repository" "wardship_ecr_repo" {
  241      name         = "wardship-ecr-repo"
  242      force_delete = true
  243    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:109-117
────────────────────────────────────────────────────────────────────────────────
  109    resource "aws_lb" "wardship_lb" {
  110      name                       = "wardship-load-balancer"
  111      load_balancer_type         = "application"
  112      security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  113      subnets                    = data.aws_subnets.shared-public.ids
  114      enable_deletion_protection = false
  115      internal                   = false
  116      depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
  117    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:115
────────────────────────────────────────────────────────────────────────────────
  109    resource "aws_lb" "wardship_lb" {
  110      name                       = "wardship-load-balancer"
  111      load_balancer_type         = "application"
  112      security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  113      subnets                    = data.aws_subnets.shared-public.ids
  114      enable_deletion_protection = false
  115  [   internal                   = false (false)
  116      depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
  117    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:220-238
────────────────────────────────────────────────────────────────────────────────
  220  ┌ resource "aws_security_group" "ecs_service" {
  221  │   name_prefix = "ecs-service-sg-"
  222  │   vpc_id      = data.aws_vpc.shared.id
  223224  │   ingress {
  225  │     from_port       = 80
  226  │     to_port         = 80
  227  │     protocol        = "tcp"
  228  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:232-237
────────────────────────────────────────────────────────────────────────────────
  220    resource "aws_security_group" "ecs_service" {
  ...  
  232  ┌   egress {
  233  │     from_port   = 0
  234  │     to_port     = 0
  235  │     protocol    = "-1"
  236  │     cidr_blocks = ["0.0.0.0/0"]
  237  └   }
  238    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:240-243
────────────────────────────────────────────────────────────────────────────────
  240    resource "aws_ecr_repository" "wardship_ecr_repo" {
  241      name         = "wardship-ecr-repo"
  242      force_delete = true
  243    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-11
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name = "/aws/events/deploymentLogs"
   11    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:15-35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   15  ┌   ingress {
   16  │     from_port = 443
   17  │     to_port   = 443
   18  │     protocol  = "tcp"
   19  │     cidr_blocks = [
   20"194.33.193.0/25",
   21"179.50.12.212/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:60-105
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_security_group" "lb_sc_pingdom" {
   55      name        = "load balancer Pingdom security group"
   56      description = "control Pingdom access to the load balancer"
   57      vpc_id      = data.aws_vpc.shared.id
   58    
   59      // Allow all European Pingdom IP addresses
   60  ┌   ingress {
   61  │     from_port = 443
   62  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_wardship_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             426.202µs
  parsing              27.957252ms
  adaptation           837.71µs
  checks               46.393384ms
  total                75.614548ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     84
  files read           15

  results
  ──────────────────────────────────────────
  passed               32
  ignored              1
  critical             12
  high                 12
  medium               2
  low                  8

  32 passed, 1 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/wardship

*****************************

Running Checkov in terraform/environments/wardship
terraform scan results:

Passed checks: 63, Failed checks: 39, Skipped checks: 0

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-11
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-11

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-11
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.wardship_ecs_service
	File: /ecs.tf:89-117

		89  | resource "aws_ecs_service" "wardship_ecs_service" {
		90  |   depends_on = [
		91  |     aws_lb_listener.wardship_lb
		92  |   ]
		93  | 
		94  |   name                              = var.networking[0].application
		95  |   cluster                           = aws_ecs_cluster.wardship_cluster.id
		96  |   task_definition                   = aws_ecs_task_definition.wardship_task_definition.arn
		97  |   launch_type                       = "FARGATE"
		98  |   enable_execute_command            = true
		99  |   desired_count                     = 2
		100 |   health_check_grace_period_seconds = 180
		101 | 
		102 |   network_configuration {
		103 |     subnets          = data.aws_subnets.shared-public.ids
		104 |     security_groups  = [aws_security_group.ecs_service.id]
		105 |     assign_public_ip = true
		106 |   }
		107 | 
		108 |   load_balancer {
		109 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		110 |     container_name   = "wardship-container"
		111 |     container_port   = 80
		112 |   }
		113 | 
		114 |   deployment_controller {
		115 |     type = "ECS"
		116 |   }
		117 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:146-167

		146 | resource "aws_iam_role_policy" "app_execution" {
		147 |   name = "execution-${var.networking[0].application}"
		148 |   role = aws_iam_role.app_execution.id
		149 | 
		150 |   policy = <<-EOF
		151 |   {
		152 |     "Version": "2012-10-17",
		153 |     "Statement": [
		154 |       {
		155 |            "Action": [
		156 |               "ecr:*",
		157 |               "logs:CreateLogStream",
		158 |               "logs:PutLogEvents",
		159 |               "secretsmanager:GetSecretValue"
		160 |            ],
		161 |            "Resource": "*",
		162 |            "Effect": "Allow"
		163 |       }
		164 |     ]
		165 |   }
		166 |   EOF
		167 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:146-167

		146 | resource "aws_iam_role_policy" "app_execution" {
		147 |   name = "execution-${var.networking[0].application}"
		148 |   role = aws_iam_role.app_execution.id
		149 | 
		150 |   policy = <<-EOF
		151 |   {
		152 |     "Version": "2012-10-17",
		153 |     "Statement": [
		154 |       {
		155 |            "Action": [
		156 |               "ecr:*",
		157 |               "logs:CreateLogStream",
		158 |               "logs:PutLogEvents",
		159 |               "secretsmanager:GetSecretValue"
		160 |            ],
		161 |            "Resource": "*",
		162 |            "Effect": "Allow"
		163 |       }
		164 |     ]
		165 |   }
		166 |   EOF
		167 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:146-167

		146 | resource "aws_iam_role_policy" "app_execution" {
		147 |   name = "execution-${var.networking[0].application}"
		148 |   role = aws_iam_role.app_execution.id
		149 | 
		150 |   policy = <<-EOF
		151 |   {
		152 |     "Version": "2012-10-17",
		153 |     "Statement": [
		154 |       {
		155 |            "Action": [
		156 |               "ecr:*",
		157 |               "logs:CreateLogStream",
		158 |               "logs:PutLogEvents",
		159 |               "secretsmanager:GetSecretValue"
		160 |            ],
		161 |            "Resource": "*",
		162 |            "Effect": "Allow"
		163 |       }
		164 |     ]
		165 |   }
		166 |   EOF
		167 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:146-167

		146 | resource "aws_iam_role_policy" "app_execution" {
		147 |   name = "execution-${var.networking[0].application}"
		148 |   role = aws_iam_role.app_execution.id
		149 | 
		150 |   policy = <<-EOF
		151 |   {
		152 |     "Version": "2012-10-17",
		153 |     "Statement": [
		154 |       {
		155 |            "Action": [
		156 |               "ecr:*",
		157 |               "logs:CreateLogStream",
		158 |               "logs:PutLogEvents",
		159 |               "secretsmanager:GetSecretValue"
		160 |            ],
		161 |            "Resource": "*",
		162 |            "Effect": "Allow"
		163 |       }
		164 |     ]
		165 |   }
		166 |   EOF
		167 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:196-218

		196 | resource "aws_iam_role_policy" "app_task" {
		197 |   name = "task-${var.networking[0].application}"
		198 |   role = aws_iam_role.app_task.id
		199 | 
		200 |   policy = <<-EOF
		201 |   {
		202 |    "Version": "2012-10-17",
		203 |    "Statement": [
		204 |      {
		205 |        "Effect": "Allow",
		206 |         "Action": [
		207 |           "logs:CreateLogStream",
		208 |           "logs:PutLogEvents",
		209 |           "ecr:*",
		210 |           "iam:*",
		211 |           "ec2:*"
		212 |         ],
		213 |        "Resource": "*"
		214 |      }
		215 |    ]
		216 |   }
		217 |   EOF
		218 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:196-218

		196 | resource "aws_iam_role_policy" "app_task" {
		197 |   name = "task-${var.networking[0].application}"
		198 |   role = aws_iam_role.app_task.id
		199 | 
		200 |   policy = <<-EOF
		201 |   {
		202 |    "Version": "2012-10-17",
		203 |    "Statement": [
		204 |      {
		205 |        "Effect": "Allow",
		206 |         "Action": [
		207 |           "logs:CreateLogStream",
		208 |           "logs:PutLogEvents",
		209 |           "ecr:*",
		210 |           "iam:*",
		211 |           "ec2:*"
		212 |         ],
		213 |        "Resource": "*"
		214 |      }
		215 |    ]
		216 |   }
		217 |   EOF
		218 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:196-218

		196 | resource "aws_iam_role_policy" "app_task" {
		197 |   name = "task-${var.networking[0].application}"
		198 |   role = aws_iam_role.app_task.id
		199 | 
		200 |   policy = <<-EOF
		201 |   {
		202 |    "Version": "2012-10-17",
		203 |    "Statement": [
		204 |      {
		205 |        "Effect": "Allow",
		206 |         "Action": [
		207 |           "logs:CreateLogStream",
		208 |           "logs:PutLogEvents",
		209 |           "ecr:*",
		210 |           "iam:*",
		211 |           "ec2:*"
		212 |         ],
		213 |        "Resource": "*"
		214 |      }
		215 |    ]
		216 |   }
		217 |   EOF
		218 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:196-218

		196 | resource "aws_iam_role_policy" "app_task" {
		197 |   name = "task-${var.networking[0].application}"
		198 |   role = aws_iam_role.app_task.id
		199 | 
		200 |   policy = <<-EOF
		201 |   {
		202 |    "Version": "2012-10-17",
		203 |    "Statement": [
		204 |      {
		205 |        "Effect": "Allow",
		206 |         "Action": [
		207 |           "logs:CreateLogStream",
		208 |           "logs:PutLogEvents",
		209 |           "ecr:*",
		210 |           "iam:*",
		211 |           "ec2:*"
		212 |         ],
		213 |        "Resource": "*"
		214 |      }
		215 |    ]
		216 |   }
		217 |   EOF
		218 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:196-218

		196 | resource "aws_iam_role_policy" "app_task" {
		197 |   name = "task-${var.networking[0].application}"
		198 |   role = aws_iam_role.app_task.id
		199 | 
		200 |   policy = <<-EOF
		201 |   {
		202 |    "Version": "2012-10-17",
		203 |    "Statement": [
		204 |      {
		205 |        "Effect": "Allow",
		206 |         "Action": [
		207 |           "logs:CreateLogStream",
		208 |           "logs:PutLogEvents",
		209 |           "ecr:*",
		210 |           "iam:*",
		211 |           "ec2:*"
		212 |         ],
		213 |        "Resource": "*"
		214 |      }
		215 |    ]
		216 |   }
		217 |   EOF
		218 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:220-238
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		220 | resource "aws_security_group" "ecs_service" {
		221 |   name_prefix = "ecs-service-sg-"
		222 |   vpc_id      = data.aws_vpc.shared.id
		223 | 
		224 |   ingress {
		225 |     from_port       = 80
		226 |     to_port         = 80
		227 |     protocol        = "tcp"
		228 |     description     = "Allow traffic on port 80 from load balancer"
		229 |     security_groups = [aws_security_group.wardship_lb_sc.id]
		230 |   }
		231 | 
		232 |   egress {
		233 |     from_port   = 0
		234 |     to_port     = 0
		235 |     protocol    = "-1"
		236 |     cidr_blocks = ["0.0.0.0/0"]
		237 |   }
		238 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:240-243
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		240 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		241 |   name         = "wardship-ecr-repo"
		242 |   force_delete = true
		243 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:240-243
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		240 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		241 |   name         = "wardship-ecr-repo"
		242 |   force_delete = true
		243 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:240-243
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		240 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		241 |   name         = "wardship-ecr-repo"
		242 |   force_delete = true
		243 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.wardship_lb_sc
	File: /load_balancer.tf:1-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:54-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:119-141
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		119 | resource "aws_lb_target_group" "wardship_target_group" {
		120 |   name                 = "wardship-target-group"
		121 |   port                 = 80
		122 |   protocol             = "HTTP"
		123 |   vpc_id               = data.aws_vpc.shared.id
		124 |   target_type          = "ip"
		125 |   deregistration_delay = 30
		126 | 
		127 |   stickiness {
		128 |     type = "lb_cookie"
		129 |   }
		130 | 
		131 |   health_check {
		132 |     healthy_threshold   = "3"
		133 |     interval            = "30"
		134 |     protocol            = "HTTP"
		135 |     port                = "80"
		136 |     unhealthy_threshold = "5"
		137 |     matcher             = "200-302"
		138 |     timeout             = "10"
		139 |   }
		140 | 
		141 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_wardship_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_wardship_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_wardship_access-${local.environment}"
		27 |   description = "Allow wardship on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow wardship on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_wardship_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_wardship_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_wardship_access-${local.environment}"
		27 |   description = "Allow wardship on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow wardship on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:196-218

		196 | resource "aws_iam_role_policy" "app_task" {
		197 |   name = "task-${var.networking[0].application}"
		198 |   role = aws_iam_role.app_task.id
		199 | 
		200 |   policy = <<-EOF
		201 |   {
		202 |    "Version": "2012-10-17",
		203 |    "Statement": [
		204 |      {
		205 |        "Effect": "Allow",
		206 |         "Action": [
		207 |           "logs:CreateLogStream",
		208 |           "logs:PutLogEvents",
		209 |           "ecr:*",
		210 |           "iam:*",
		211 |           "ec2:*"
		212 |         ],
		213 |        "Resource": "*"
		214 |      }
		215 |    ]
		216 |   }
		217 |   EOF
		218 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/wardship

*****************************

Running tflint in terraform/environments/wardship
Excluding the following checks: terraform_unused_declarations
15 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 38:
  38:           awslogs-group         = "${aws_cloudwatch_log_group.deployment_logs.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 46:
  46:           value = "${aws_db_instance.wardship_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 50:
  50:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 54:
  54:           value = "${aws_db_instance.wardship_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 58:
  58:           value = "${aws_db_instance.wardship_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 62:
  62:           value = "${aws_db_instance.wardship_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 66:
  66:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 70:
  70:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 104:
 104:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/wardship/rds.tf line 109:
 109: resource "null_resource" "setup_source_rds_security_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 122:
 122:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/wardship/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/secrets.tf line 18:
  18:   secret_string = jsonencode({ "WARDSHIP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@tmahmood72 tmahmood72 temporarily deployed to apex-development October 16, 2023 14:54 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/ncas

*****************************

Running TFSEC in terraform/environments/ncas
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:234
────────────────────────────────────────────────────────────────────────────────
  218    resource "aws_security_group" "ecs_service" {
  ...  
  234  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  236    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-8 CRITICAL Security group rule allows ingress from public internet. (7 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:19-36
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "ncas_lb_sc" {
    .  
   19  ┌     cidr_blocks = [
   20"194.33.196.0/25",
   21"201.33.21.5/32",
   22"93.56.171.15/32",
   23"194.33.193.0/25",
   24"179.50.12.212/32",
   25"54.94.206.111/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-54 (aws_security_group.ncas_lb_sc) 7 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:44
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "ncas_lb_sc" {
    .  
   44  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   54    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:52
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "ncas_lb_sc" {
    .  
   52  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   54    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "ncas_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_ncas_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:76
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   76  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   79    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:151-158
────────────────────────────────────────────────────────────────────────────────
  142    resource "aws_iam_role_policy" "app_execution" {
  ...  
  151"Action": [
  152"ecr:*",
  153"logs:CreateLogGroup",
  154"logs:CreateLogStream",
  155"logs:PutLogEvents",
  156"logs:DescribeLogStreams",
  157"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:159
────────────────────────────────────────────────────────────────────────────────
  142    resource "aws_iam_role_policy" "app_execution" {
  ...  
  159  [            "Resource": "*",
  ...  
  165    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #16-18 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204-210
────────────────────────────────────────────────────────────────────────────────
  194    resource "aws_iam_role_policy" "app_task" {
  ...  
  204"Action": [
  205"logs:CreateLogStream",
  206"logs:PutLogEvents",
  207"ecr:*",
  208"iam:*",
  209"ec2:*"
  210  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:194-216 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:211
────────────────────────────────────────────────────────────────────────────────
  194    resource "aws_iam_role_policy" "app_task" {
  ...  
  211  [        "Resource": "*"
  ...  
  216    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:238-241
────────────────────────────────────────────────────────────────────────────────
  238    resource "aws_ecr_repository" "ncas_ecr_repo" {
  239      name         = "ncas-ecr-repo"
  240      force_delete = true
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:238-241
────────────────────────────────────────────────────────────────────────────────
  238    resource "aws_ecr_repository" "ncas_ecr_repo" {
  239      name         = "ncas-ecr-repo"
  240      force_delete = true
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:110-118
────────────────────────────────────────────────────────────────────────────────
  110    resource "aws_lb" "ncas_lb" {
  111      name                       = "ncas-load-balancer"
  112      load_balancer_type         = "application"
  113      security_groups            = [aws_security_group.ncas_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  114      subnets                    = data.aws_subnets.shared-public.ids
  115      enable_deletion_protection = false
  116      internal                   = false
  117      depends_on                 = [aws_security_group.ncas_lb_sc, aws_security_group.lb_sc_pingdom]
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:116
────────────────────────────────────────────────────────────────────────────────
  110    resource "aws_lb" "ncas_lb" {
  111      name                       = "ncas-load-balancer"
  112      load_balancer_type         = "application"
  113      security_groups            = [aws_security_group.ncas_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  114      subnets                    = data.aws_subnets.shared-public.ids
  115      enable_deletion_protection = false
  116  [   internal                   = false (false)
  117      depends_on                 = [aws_security_group.ncas_lb_sc, aws_security_group.lb_sc_pingdom]
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "ncas_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "ncas_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #27 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "ncas_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:218-236
────────────────────────────────────────────────────────────────────────────────
  218  ┌ resource "aws_security_group" "ecs_service" {
  219  │   name_prefix = "ecs-service-sg-"
  220  │   vpc_id      = data.aws_vpc.shared.id
  221222  │   ingress {
  223  │     from_port       = 80
  224  │     to_port         = 80
  225  │     protocol        = "tcp"
  226  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:230-235
────────────────────────────────────────────────────────────────────────────────
  218    resource "aws_security_group" "ecs_service" {
  ...  
  230  ┌   egress {
  231  │     from_port   = 0
  232  │     to_port     = 0
  233  │     protocol    = "-1"
  234  │     cidr_blocks = ["0.0.0.0/0"]
  235  └   }
  236    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:238-241
────────────────────────────────────────────────────────────────────────────────
  238    resource "aws_ecr_repository" "ncas_ecr_repo" {
  239      name         = "ncas-ecr-repo"
  240      force_delete = true
  241    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-11
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name = "/aws/events/deploymentLogs"
   11    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:15-37
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "ncas_lb_sc" {
    .  
   15  ┌   ingress {
   16  │     from_port = 443
   17  │     to_port   = 443
   18  │     protocol  = "tcp"
   19  │     cidr_blocks = [
   20"194.33.196.0/25",
   21"201.33.21.5/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:62-107
────────────────────────────────────────────────────────────────────────────────
   56    resource "aws_security_group" "lb_sc_pingdom" {
   57      name        = "load balancer Pingdom security group"
   58      description = "control Pingdom access to the load balancer"
   59      vpc_id      = data.aws_vpc.shared.id
   60    
   61      // Allow all European Pingdom IP addresses
   62  ┌   ingress {
   63  │     from_port = 443
   64  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "ncas_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #35 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_ncas_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             472.8µs
  parsing              20.789568ms
  adaptation           1.031698ms
  checks               47.065125ms
  total                69.359191ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     84
  files read           15

  results
  ──────────────────────────────────────────
  passed               34
  ignored              1
  critical             13
  high                 12
  medium               2
  low                  8

  34 passed, 1 ignored, 35 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/ncas

*****************************

Running Checkov in terraform/environments/ncas
terraform scan results:

Passed checks: 63, Failed checks: 39, Skipped checks: 0

Check: CKV_AWS_66: "Ensure that CloudWatch Log Group specifies retention days"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-11
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-13.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-11

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-11
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.ncas_ecs_service
	File: /ecs.tf:85-113

		85  | resource "aws_ecs_service" "ncas_ecs_service" {
		86  |   depends_on = [
		87  |     aws_lb_listener.ncas_lb
		88  |   ]
		89  | 
		90  |   name                              = var.networking[0].application
		91  |   cluster                           = aws_ecs_cluster.ncas_cluster.id
		92  |   task_definition                   = aws_ecs_task_definition.ncas_task_definition.arn
		93  |   launch_type                       = "FARGATE"
		94  |   enable_execute_command            = true
		95  |   desired_count                     = 2
		96  |   health_check_grace_period_seconds = 180
		97  | 
		98  |   network_configuration {
		99  |     subnets          = data.aws_subnets.shared-public.ids
		100 |     security_groups  = [aws_security_group.ecs_service.id]
		101 |     assign_public_ip = true
		102 |   }
		103 | 
		104 |   load_balancer {
		105 |     target_group_arn = aws_lb_target_group.ncas_target_group.arn
		106 |     container_name   = "ncas-container"
		107 |     container_port   = 80
		108 |   }
		109 | 
		110 |   deployment_controller {
		111 |     type = "ECS"
		112 |   }
		113 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:142-165

		142 | resource "aws_iam_role_policy" "app_execution" {
		143 |   name = "execution-${var.networking[0].application}"
		144 |   role = aws_iam_role.app_execution.id
		145 | 
		146 |   policy = <<-EOF
		147 |   {
		148 |     "Version": "2012-10-17",
		149 |     "Statement": [
		150 |       {
		151 |            "Action": [
		152 |               "ecr:*",
		153 |               "logs:CreateLogGroup",
		154 |               "logs:CreateLogStream",
		155 |               "logs:PutLogEvents",
		156 |               "logs:DescribeLogStreams",
		157 |               "secretsmanager:GetSecretValue"
		158 |            ],
		159 |            "Resource": "*",
		160 |            "Effect": "Allow"
		161 |       }
		162 |     ]
		163 |   }
		164 |   EOF
		165 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:142-165

		142 | resource "aws_iam_role_policy" "app_execution" {
		143 |   name = "execution-${var.networking[0].application}"
		144 |   role = aws_iam_role.app_execution.id
		145 | 
		146 |   policy = <<-EOF
		147 |   {
		148 |     "Version": "2012-10-17",
		149 |     "Statement": [
		150 |       {
		151 |            "Action": [
		152 |               "ecr:*",
		153 |               "logs:CreateLogGroup",
		154 |               "logs:CreateLogStream",
		155 |               "logs:PutLogEvents",
		156 |               "logs:DescribeLogStreams",
		157 |               "secretsmanager:GetSecretValue"
		158 |            ],
		159 |            "Resource": "*",
		160 |            "Effect": "Allow"
		161 |       }
		162 |     ]
		163 |   }
		164 |   EOF
		165 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:142-165

		142 | resource "aws_iam_role_policy" "app_execution" {
		143 |   name = "execution-${var.networking[0].application}"
		144 |   role = aws_iam_role.app_execution.id
		145 | 
		146 |   policy = <<-EOF
		147 |   {
		148 |     "Version": "2012-10-17",
		149 |     "Statement": [
		150 |       {
		151 |            "Action": [
		152 |               "ecr:*",
		153 |               "logs:CreateLogGroup",
		154 |               "logs:CreateLogStream",
		155 |               "logs:PutLogEvents",
		156 |               "logs:DescribeLogStreams",
		157 |               "secretsmanager:GetSecretValue"
		158 |            ],
		159 |            "Resource": "*",
		160 |            "Effect": "Allow"
		161 |       }
		162 |     ]
		163 |   }
		164 |   EOF
		165 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:142-165

		142 | resource "aws_iam_role_policy" "app_execution" {
		143 |   name = "execution-${var.networking[0].application}"
		144 |   role = aws_iam_role.app_execution.id
		145 | 
		146 |   policy = <<-EOF
		147 |   {
		148 |     "Version": "2012-10-17",
		149 |     "Statement": [
		150 |       {
		151 |            "Action": [
		152 |               "ecr:*",
		153 |               "logs:CreateLogGroup",
		154 |               "logs:CreateLogStream",
		155 |               "logs:PutLogEvents",
		156 |               "logs:DescribeLogStreams",
		157 |               "secretsmanager:GetSecretValue"
		158 |            ],
		159 |            "Resource": "*",
		160 |            "Effect": "Allow"
		161 |       }
		162 |     ]
		163 |   }
		164 |   EOF
		165 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:194-216

		194 | resource "aws_iam_role_policy" "app_task" {
		195 |   name = "task-${var.networking[0].application}"
		196 |   role = aws_iam_role.app_task.id
		197 | 
		198 |   policy = <<-EOF
		199 |   {
		200 |    "Version": "2012-10-17",
		201 |    "Statement": [
		202 |      {
		203 |        "Effect": "Allow",
		204 |         "Action": [
		205 |           "logs:CreateLogStream",
		206 |           "logs:PutLogEvents",
		207 |           "ecr:*",
		208 |           "iam:*",
		209 |           "ec2:*"
		210 |         ],
		211 |        "Resource": "*"
		212 |      }
		213 |    ]
		214 |   }
		215 |   EOF
		216 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:194-216

		194 | resource "aws_iam_role_policy" "app_task" {
		195 |   name = "task-${var.networking[0].application}"
		196 |   role = aws_iam_role.app_task.id
		197 | 
		198 |   policy = <<-EOF
		199 |   {
		200 |    "Version": "2012-10-17",
		201 |    "Statement": [
		202 |      {
		203 |        "Effect": "Allow",
		204 |         "Action": [
		205 |           "logs:CreateLogStream",
		206 |           "logs:PutLogEvents",
		207 |           "ecr:*",
		208 |           "iam:*",
		209 |           "ec2:*"
		210 |         ],
		211 |        "Resource": "*"
		212 |      }
		213 |    ]
		214 |   }
		215 |   EOF
		216 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:194-216

		194 | resource "aws_iam_role_policy" "app_task" {
		195 |   name = "task-${var.networking[0].application}"
		196 |   role = aws_iam_role.app_task.id
		197 | 
		198 |   policy = <<-EOF
		199 |   {
		200 |    "Version": "2012-10-17",
		201 |    "Statement": [
		202 |      {
		203 |        "Effect": "Allow",
		204 |         "Action": [
		205 |           "logs:CreateLogStream",
		206 |           "logs:PutLogEvents",
		207 |           "ecr:*",
		208 |           "iam:*",
		209 |           "ec2:*"
		210 |         ],
		211 |        "Resource": "*"
		212 |      }
		213 |    ]
		214 |   }
		215 |   EOF
		216 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:194-216

		194 | resource "aws_iam_role_policy" "app_task" {
		195 |   name = "task-${var.networking[0].application}"
		196 |   role = aws_iam_role.app_task.id
		197 | 
		198 |   policy = <<-EOF
		199 |   {
		200 |    "Version": "2012-10-17",
		201 |    "Statement": [
		202 |      {
		203 |        "Effect": "Allow",
		204 |         "Action": [
		205 |           "logs:CreateLogStream",
		206 |           "logs:PutLogEvents",
		207 |           "ecr:*",
		208 |           "iam:*",
		209 |           "ec2:*"
		210 |         ],
		211 |        "Resource": "*"
		212 |      }
		213 |    ]
		214 |   }
		215 |   EOF
		216 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:194-216

		194 | resource "aws_iam_role_policy" "app_task" {
		195 |   name = "task-${var.networking[0].application}"
		196 |   role = aws_iam_role.app_task.id
		197 | 
		198 |   policy = <<-EOF
		199 |   {
		200 |    "Version": "2012-10-17",
		201 |    "Statement": [
		202 |      {
		203 |        "Effect": "Allow",
		204 |         "Action": [
		205 |           "logs:CreateLogStream",
		206 |           "logs:PutLogEvents",
		207 |           "ecr:*",
		208 |           "iam:*",
		209 |           "ec2:*"
		210 |         ],
		211 |        "Resource": "*"
		212 |      }
		213 |    ]
		214 |   }
		215 |   EOF
		216 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:218-236
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		218 | resource "aws_security_group" "ecs_service" {
		219 |   name_prefix = "ecs-service-sg-"
		220 |   vpc_id      = data.aws_vpc.shared.id
		221 | 
		222 |   ingress {
		223 |     from_port       = 80
		224 |     to_port         = 80
		225 |     protocol        = "tcp"
		226 |     description     = "Allow traffic on port 80 from load balancer"
		227 |     security_groups = [aws_security_group.ncas_lb_sc.id]
		228 |   }
		229 | 
		230 |   egress {
		231 |     from_port   = 0
		232 |     to_port     = 0
		233 |     protocol    = "-1"
		234 |     cidr_blocks = ["0.0.0.0/0"]
		235 |   }
		236 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.ncas_ecr_repo
	File: /ecs.tf:238-241
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		238 | resource "aws_ecr_repository" "ncas_ecr_repo" {
		239 |   name         = "ncas-ecr-repo"
		240 |   force_delete = true
		241 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.ncas_ecr_repo
	File: /ecs.tf:238-241
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		238 | resource "aws_ecr_repository" "ncas_ecr_repo" {
		239 |   name         = "ncas-ecr-repo"
		240 |   force_delete = true
		241 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.ncas_ecr_repo
	File: /ecs.tf:238-241
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		238 | resource "aws_ecr_repository" "ncas_ecr_repo" {
		239 |   name         = "ncas-ecr-repo"
		240 |   force_delete = true
		241 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ncas_lb_sc
	File: /load_balancer.tf:1-54
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:56-108
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ncas_lb
	File: /load_balancer.tf:110-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		110 | resource "aws_lb" "ncas_lb" {
		111 |   name                       = "ncas-load-balancer"
		112 |   load_balancer_type         = "application"
		113 |   security_groups            = [aws_security_group.ncas_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		114 |   subnets                    = data.aws_subnets.shared-public.ids
		115 |   enable_deletion_protection = false
		116 |   internal                   = false
		117 |   depends_on                 = [aws_security_group.ncas_lb_sc, aws_security_group.lb_sc_pingdom]
		118 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ncas_lb
	File: /load_balancer.tf:110-118
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		110 | resource "aws_lb" "ncas_lb" {
		111 |   name                       = "ncas-load-balancer"
		112 |   load_balancer_type         = "application"
		113 |   security_groups            = [aws_security_group.ncas_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		114 |   subnets                    = data.aws_subnets.shared-public.ids
		115 |   enable_deletion_protection = false
		116 |   internal                   = false
		117 |   depends_on                 = [aws_security_group.ncas_lb_sc, aws_security_group.lb_sc_pingdom]
		118 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ncas_lb
	File: /load_balancer.tf:110-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		110 | resource "aws_lb" "ncas_lb" {
		111 |   name                       = "ncas-load-balancer"
		112 |   load_balancer_type         = "application"
		113 |   security_groups            = [aws_security_group.ncas_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		114 |   subnets                    = data.aws_subnets.shared-public.ids
		115 |   enable_deletion_protection = false
		116 |   internal                   = false
		117 |   depends_on                 = [aws_security_group.ncas_lb_sc, aws_security_group.lb_sc_pingdom]
		118 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ncas_target_group
	File: /load_balancer.tf:120-142
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		120 | resource "aws_lb_target_group" "ncas_target_group" {
		121 |   name                 = "ncas-target-group"
		122 |   port                 = 80
		123 |   protocol             = "HTTP"
		124 |   vpc_id               = data.aws_vpc.shared.id
		125 |   target_type          = "ip"
		126 |   deregistration_delay = 30
		127 | 
		128 |   stickiness {
		129 |     type = "lb_cookie"
		130 |   }
		131 | 
		132 |   health_check {
		133 |     healthy_threshold   = "3"
		134 |     interval            = "30"
		135 |     protocol            = "HTTP"
		136 |     port                = "80"
		137 |     unhealthy_threshold = "5"
		138 |     matcher             = "200-302"
		139 |     timeout             = "10"
		140 |   }
		141 | 
		142 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_ncas_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_ncas_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_ncas_access-${local.environment}"
		27 |   description = "Allow ncas on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow ncas on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.ncas_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "ncas_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.ncas_lb
	File: /load_balancer.tf:110-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		110 | resource "aws_lb" "ncas_lb" {
		111 |   name                       = "ncas-load-balancer"
		112 |   load_balancer_type         = "application"
		113 |   security_groups            = [aws_security_group.ncas_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		114 |   subnets                    = data.aws_subnets.shared-public.ids
		115 |   enable_deletion_protection = false
		116 |   internal                   = false
		117 |   depends_on                 = [aws_security_group.ncas_lb_sc, aws_security_group.lb_sc_pingdom]
		118 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_ncas_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_ncas_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_ncas_access-${local.environment}"
		27 |   description = "Allow ncas on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow ncas on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:194-216

		194 | resource "aws_iam_role_policy" "app_task" {
		195 |   name = "task-${var.networking[0].application}"
		196 |   role = aws_iam_role.app_task.id
		197 | 
		198 |   policy = <<-EOF
		199 |   {
		200 |    "Version": "2012-10-17",
		201 |    "Statement": [
		202 |      {
		203 |        "Effect": "Allow",
		204 |         "Action": [
		205 |           "logs:CreateLogStream",
		206 |           "logs:PutLogEvents",
		207 |           "ecr:*",
		208 |           "iam:*",
		209 |           "ec2:*"
		210 |         ],
		211 |        "Resource": "*"
		212 |      }
		213 |    ]
		214 |   }
		215 |   EOF
		216 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/ncas

*****************************

Running tflint in terraform/environments/ncas
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 38:
  38:           awslogs-group         = "${aws_cloudwatch_log_group.deployment_logs.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 46:
  46:           value = "${aws_db_instance.ncas_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 50:
  50:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 54:
  54:           value = "${aws_db_instance.ncas_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 58:
  58:           value = "${aws_db_instance.ncas_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 62:
  62:           value = "${aws_db_instance.ncas_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 66:
  66:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 70:
  70:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/rds.tf line 104:
 104:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/ncas/rds.tf line 109:
 109: resource "null_resource" "setup_source_rds_security_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/rds.tf line 122:
 122:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/ncas/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ncas/secrets.tf line 18:
  18:   secret_string = jsonencode({ "NCAS_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

1 similar comment
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@tmahmood72 tmahmood72 temporarily deployed to apex-development October 25, 2023 13:15 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@tmahmood72 tmahmood72 temporarily deployed to apex-development October 25, 2023 13:57 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@tajewole-moj tajewole-moj temporarily deployed to apex-development October 26, 2023 09:18 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/wardship

*****************************

Running TFSEC in terraform/environments/wardship
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:229
────────────────────────────────────────────────────────────────────────────────
  213    resource "aws_security_group" "ecs_service" {
  ...  
  229  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  231    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-7 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:19-34
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   19  ┌     cidr_blocks = [
   20"194.33.193.0/25",
   21"179.50.12.212/32",
   22"93.56.171.15/32",
   23"52.67.148.55/32",
   24"194.33.197.0/25",
   25"213.121.161.124/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-52 (aws_security_group.wardship_lb_sc) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:42
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   42  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:50
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   50  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "wardship_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_wardship_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:76
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   76  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   79    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:148-153
────────────────────────────────────────────────────────────────────────────────
  139    resource "aws_iam_role_policy" "app_execution" {
  ...  
  148"Action": [
  149"ecr:*",
  150"logs:CreateLogStream",
  151"logs:PutLogEvents",
  152"secretsmanager:GetSecretValue"
  153  └            ],
  ...  
  160    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:154
────────────────────────────────────────────────────────────────────────────────
  139    resource "aws_iam_role_policy" "app_execution" {
  ...  
  154  [            "Resource": "*",
  ...  
  160    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-17 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:199-205
────────────────────────────────────────────────────────────────────────────────
  189    resource "aws_iam_role_policy" "app_task" {
  ...  
  199"Action": [
  200"logs:CreateLogStream",
  201"logs:PutLogEvents",
  202"ecr:*",
  203"iam:*",
  204"ec2:*"
  205  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:189-211 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #18 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:206
────────────────────────────────────────────────────────────────────────────────
  189    resource "aws_iam_role_policy" "app_task" {
  ...  
  206  [        "Resource": "*"
  ...  
  211    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:233-236
────────────────────────────────────────────────────────────────────────────────
  233    resource "aws_ecr_repository" "wardship_ecr_repo" {
  234      name         = "wardship-ecr-repo"
  235      force_delete = true
  236    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:233-236
────────────────────────────────────────────────────────────────────────────────
  233    resource "aws_ecr_repository" "wardship_ecr_repo" {
  234      name         = "wardship-ecr-repo"
  235      force_delete = true
  236    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:109-117
────────────────────────────────────────────────────────────────────────────────
  109    resource "aws_lb" "wardship_lb" {
  110      name                       = "wardship-load-balancer"
  111      load_balancer_type         = "application"
  112      security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  113      subnets                    = data.aws_subnets.shared-public.ids
  114      enable_deletion_protection = false
  115      internal                   = false
  116      depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
  117    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:115
────────────────────────────────────────────────────────────────────────────────
  109    resource "aws_lb" "wardship_lb" {
  110      name                       = "wardship-load-balancer"
  111      load_balancer_type         = "application"
  112      security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  113      subnets                    = data.aws_subnets.shared-public.ids
  114      enable_deletion_protection = false
  115  [   internal                   = false (false)
  116      depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
  117    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:213-231
────────────────────────────────────────────────────────────────────────────────
  213  ┌ resource "aws_security_group" "ecs_service" {
  214  │   name_prefix = "ecs-service-sg-"
  215  │   vpc_id      = data.aws_vpc.shared.id
  216217  │   ingress {
  218  │     from_port       = 80
  219  │     to_port         = 80
  220  │     protocol        = "tcp"
  221  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:225-230
────────────────────────────────────────────────────────────────────────────────
  213    resource "aws_security_group" "ecs_service" {
  ...  
  225  ┌   egress {
  226  │     from_port   = 0
  227  │     to_port     = 0
  228  │     protocol    = "-1"
  229  │     cidr_blocks = ["0.0.0.0/0"]
  230  └   }
  231    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:233-236
────────────────────────────────────────────────────────────────────────────────
  233    resource "aws_ecr_repository" "wardship_ecr_repo" {
  234      name         = "wardship-ecr-repo"
  235      force_delete = true
  236    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name              = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:15-35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "wardship_lb_sc" {
    .  
   15  ┌   ingress {
   16  │     from_port = 443
   17  │     to_port   = 443
   18  │     protocol  = "tcp"
   19  │     cidr_blocks = [
   20"194.33.193.0/25",
   21"179.50.12.212/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:60-105
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_security_group" "lb_sc_pingdom" {
   55      name        = "load balancer Pingdom security group"
   56      description = "control Pingdom access to the load balancer"
   57      vpc_id      = data.aws_vpc.shared.id
   58    
   59      // Allow all European Pingdom IP addresses
   60  ┌   ingress {
   61  │     from_port = 443
   62  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "wardship_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_wardship_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             442.093µs
  parsing              20.598653ms
  adaptation           1.154986ms
  checks               53.602056ms
  total                75.797788ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     86
  files read           15

  results
  ──────────────────────────────────────────
  passed               32
  ignored              1
  critical             12
  high                 12
  medium               2
  low                  8

  32 passed, 1 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/wardship

*****************************

Running Checkov in terraform/environments/wardship
terraform scan results:

Passed checks: 65, Failed checks: 38, Skipped checks: 0

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.wardship_task_definition
	File: /ecs.tf:14-80

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.wardship_ecs_service
	File: /ecs.tf:82-110

		82  | resource "aws_ecs_service" "wardship_ecs_service" {
		83  |   depends_on = [
		84  |     aws_lb_listener.wardship_lb
		85  |   ]
		86  | 
		87  |   name                              = var.networking[0].application
		88  |   cluster                           = aws_ecs_cluster.wardship_cluster.id
		89  |   task_definition                   = aws_ecs_task_definition.wardship_task_definition.arn
		90  |   launch_type                       = "FARGATE"
		91  |   enable_execute_command            = true
		92  |   desired_count                     = 2
		93  |   health_check_grace_period_seconds = 180
		94  | 
		95  |   network_configuration {
		96  |     subnets          = data.aws_subnets.shared-public.ids
		97  |     security_groups  = [aws_security_group.ecs_service.id]
		98  |     assign_public_ip = true
		99  |   }
		100 | 
		101 |   load_balancer {
		102 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		103 |     container_name   = "wardship-container"
		104 |     container_port   = 80
		105 |   }
		106 | 
		107 |   deployment_controller {
		108 |     type = "ECS"
		109 |   }
		110 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:139-160

		139 | resource "aws_iam_role_policy" "app_execution" {
		140 |   name = "execution-${var.networking[0].application}"
		141 |   role = aws_iam_role.app_execution.id
		142 | 
		143 |   policy = <<-EOF
		144 |   {
		145 |     "Version": "2012-10-17",
		146 |     "Statement": [
		147 |       {
		148 |            "Action": [
		149 |               "ecr:*",
		150 |               "logs:CreateLogStream",
		151 |               "logs:PutLogEvents",
		152 |               "secretsmanager:GetSecretValue"
		153 |            ],
		154 |            "Resource": "*",
		155 |            "Effect": "Allow"
		156 |       }
		157 |     ]
		158 |   }
		159 |   EOF
		160 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:139-160

		139 | resource "aws_iam_role_policy" "app_execution" {
		140 |   name = "execution-${var.networking[0].application}"
		141 |   role = aws_iam_role.app_execution.id
		142 | 
		143 |   policy = <<-EOF
		144 |   {
		145 |     "Version": "2012-10-17",
		146 |     "Statement": [
		147 |       {
		148 |            "Action": [
		149 |               "ecr:*",
		150 |               "logs:CreateLogStream",
		151 |               "logs:PutLogEvents",
		152 |               "secretsmanager:GetSecretValue"
		153 |            ],
		154 |            "Resource": "*",
		155 |            "Effect": "Allow"
		156 |       }
		157 |     ]
		158 |   }
		159 |   EOF
		160 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:139-160

		139 | resource "aws_iam_role_policy" "app_execution" {
		140 |   name = "execution-${var.networking[0].application}"
		141 |   role = aws_iam_role.app_execution.id
		142 | 
		143 |   policy = <<-EOF
		144 |   {
		145 |     "Version": "2012-10-17",
		146 |     "Statement": [
		147 |       {
		148 |            "Action": [
		149 |               "ecr:*",
		150 |               "logs:CreateLogStream",
		151 |               "logs:PutLogEvents",
		152 |               "secretsmanager:GetSecretValue"
		153 |            ],
		154 |            "Resource": "*",
		155 |            "Effect": "Allow"
		156 |       }
		157 |     ]
		158 |   }
		159 |   EOF
		160 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:139-160

		139 | resource "aws_iam_role_policy" "app_execution" {
		140 |   name = "execution-${var.networking[0].application}"
		141 |   role = aws_iam_role.app_execution.id
		142 | 
		143 |   policy = <<-EOF
		144 |   {
		145 |     "Version": "2012-10-17",
		146 |     "Statement": [
		147 |       {
		148 |            "Action": [
		149 |               "ecr:*",
		150 |               "logs:CreateLogStream",
		151 |               "logs:PutLogEvents",
		152 |               "secretsmanager:GetSecretValue"
		153 |            ],
		154 |            "Resource": "*",
		155 |            "Effect": "Allow"
		156 |       }
		157 |     ]
		158 |   }
		159 |   EOF
		160 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:189-211

		189 | resource "aws_iam_role_policy" "app_task" {
		190 |   name = "task-${var.networking[0].application}"
		191 |   role = aws_iam_role.app_task.id
		192 | 
		193 |   policy = <<-EOF
		194 |   {
		195 |    "Version": "2012-10-17",
		196 |    "Statement": [
		197 |      {
		198 |        "Effect": "Allow",
		199 |         "Action": [
		200 |           "logs:CreateLogStream",
		201 |           "logs:PutLogEvents",
		202 |           "ecr:*",
		203 |           "iam:*",
		204 |           "ec2:*"
		205 |         ],
		206 |        "Resource": "*"
		207 |      }
		208 |    ]
		209 |   }
		210 |   EOF
		211 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:189-211

		189 | resource "aws_iam_role_policy" "app_task" {
		190 |   name = "task-${var.networking[0].application}"
		191 |   role = aws_iam_role.app_task.id
		192 | 
		193 |   policy = <<-EOF
		194 |   {
		195 |    "Version": "2012-10-17",
		196 |    "Statement": [
		197 |      {
		198 |        "Effect": "Allow",
		199 |         "Action": [
		200 |           "logs:CreateLogStream",
		201 |           "logs:PutLogEvents",
		202 |           "ecr:*",
		203 |           "iam:*",
		204 |           "ec2:*"
		205 |         ],
		206 |        "Resource": "*"
		207 |      }
		208 |    ]
		209 |   }
		210 |   EOF
		211 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:189-211

		189 | resource "aws_iam_role_policy" "app_task" {
		190 |   name = "task-${var.networking[0].application}"
		191 |   role = aws_iam_role.app_task.id
		192 | 
		193 |   policy = <<-EOF
		194 |   {
		195 |    "Version": "2012-10-17",
		196 |    "Statement": [
		197 |      {
		198 |        "Effect": "Allow",
		199 |         "Action": [
		200 |           "logs:CreateLogStream",
		201 |           "logs:PutLogEvents",
		202 |           "ecr:*",
		203 |           "iam:*",
		204 |           "ec2:*"
		205 |         ],
		206 |        "Resource": "*"
		207 |      }
		208 |    ]
		209 |   }
		210 |   EOF
		211 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:189-211

		189 | resource "aws_iam_role_policy" "app_task" {
		190 |   name = "task-${var.networking[0].application}"
		191 |   role = aws_iam_role.app_task.id
		192 | 
		193 |   policy = <<-EOF
		194 |   {
		195 |    "Version": "2012-10-17",
		196 |    "Statement": [
		197 |      {
		198 |        "Effect": "Allow",
		199 |         "Action": [
		200 |           "logs:CreateLogStream",
		201 |           "logs:PutLogEvents",
		202 |           "ecr:*",
		203 |           "iam:*",
		204 |           "ec2:*"
		205 |         ],
		206 |        "Resource": "*"
		207 |      }
		208 |    ]
		209 |   }
		210 |   EOF
		211 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:189-211

		189 | resource "aws_iam_role_policy" "app_task" {
		190 |   name = "task-${var.networking[0].application}"
		191 |   role = aws_iam_role.app_task.id
		192 | 
		193 |   policy = <<-EOF
		194 |   {
		195 |    "Version": "2012-10-17",
		196 |    "Statement": [
		197 |      {
		198 |        "Effect": "Allow",
		199 |         "Action": [
		200 |           "logs:CreateLogStream",
		201 |           "logs:PutLogEvents",
		202 |           "ecr:*",
		203 |           "iam:*",
		204 |           "ec2:*"
		205 |         ],
		206 |        "Resource": "*"
		207 |      }
		208 |    ]
		209 |   }
		210 |   EOF
		211 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:213-231
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		213 | resource "aws_security_group" "ecs_service" {
		214 |   name_prefix = "ecs-service-sg-"
		215 |   vpc_id      = data.aws_vpc.shared.id
		216 | 
		217 |   ingress {
		218 |     from_port       = 80
		219 |     to_port         = 80
		220 |     protocol        = "tcp"
		221 |     description     = "Allow traffic on port 80 from load balancer"
		222 |     security_groups = [aws_security_group.wardship_lb_sc.id]
		223 |   }
		224 | 
		225 |   egress {
		226 |     from_port   = 0
		227 |     to_port     = 0
		228 |     protocol    = "-1"
		229 |     cidr_blocks = ["0.0.0.0/0"]
		230 |   }
		231 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:233-236
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		233 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		234 |   name         = "wardship-ecr-repo"
		235 |   force_delete = true
		236 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:233-236
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		233 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		234 |   name         = "wardship-ecr-repo"
		235 |   force_delete = true
		236 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:233-236
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		233 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		234 |   name         = "wardship-ecr-repo"
		235 |   force_delete = true
		236 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.wardship_lb_sc
	File: /load_balancer.tf:1-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:54-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:119-141
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		119 | resource "aws_lb_target_group" "wardship_target_group" {
		120 |   name                 = "wardship-target-group"
		121 |   port                 = 80
		122 |   protocol             = "HTTP"
		123 |   vpc_id               = data.aws_vpc.shared.id
		124 |   target_type          = "ip"
		125 |   deregistration_delay = 30
		126 | 
		127 |   stickiness {
		128 |     type = "lb_cookie"
		129 |   }
		130 | 
		131 |   health_check {
		132 |     healthy_threshold   = "3"
		133 |     interval            = "30"
		134 |     protocol            = "HTTP"
		135 |     port                = "80"
		136 |     unhealthy_threshold = "5"
		137 |     matcher             = "200-302"
		138 |     timeout             = "10"
		139 |   }
		140 | 
		141 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_wardship_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_wardship_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_wardship_access-${local.environment}"
		27 |   description = "Allow wardship on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow wardship on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_wardship_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_wardship_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_wardship_access-${local.environment}"
		27 |   description = "Allow wardship on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow wardship on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:109-117
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		109 | resource "aws_lb" "wardship_lb" {
		110 |   name                       = "wardship-load-balancer"
		111 |   load_balancer_type         = "application"
		112 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		113 |   subnets                    = data.aws_subnets.shared-public.ids
		114 |   enable_deletion_protection = false
		115 |   internal                   = false
		116 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom]
		117 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:189-211

		189 | resource "aws_iam_role_policy" "app_task" {
		190 |   name = "task-${var.networking[0].application}"
		191 |   role = aws_iam_role.app_task.id
		192 | 
		193 |   policy = <<-EOF
		194 |   {
		195 |    "Version": "2012-10-17",
		196 |    "Statement": [
		197 |      {
		198 |        "Effect": "Allow",
		199 |         "Action": [
		200 |           "logs:CreateLogStream",
		201 |           "logs:PutLogEvents",
		202 |           "ecr:*",
		203 |           "iam:*",
		204 |           "ec2:*"
		205 |         ],
		206 |        "Resource": "*"
		207 |      }
		208 |    ]
		209 |   }
		210 |   EOF
		211 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/wardship

*****************************

Running tflint in terraform/environments/wardship
Excluding the following checks: terraform_unused_declarations
15 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 39:
  39:           value = "${aws_db_instance.wardship_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 47:
  47:           value = "${aws_db_instance.wardship_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 51:
  51:           value = "${aws_db_instance.wardship_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 55:
  55:           value = "${aws_db_instance.wardship_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 71:
  71:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 105:
 105:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 123:
 123:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/wardship/rds.tf line 128:
 128: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 145:
 145:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/wardship/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/secrets.tf line 18:
  18:   secret_string = jsonencode({ "WARDSHIP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@tajewole-moj tajewole-moj temporarily deployed to apex-development October 26, 2023 09:58 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/pra-register

*****************************

Running TFSEC in terraform/environments/pra-register
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  227  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-7 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:35-51
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   35  ┌     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   38"157.203.176.0/25",
   39"194.33.196.0/25",
   40"93.56.171.15/32",
   41"195.59.75.0/24",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-69 (aws_security_group.pra_lb_sc) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:59
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   59  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:67
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   67  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "pra_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:76
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   76  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   79    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-151
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144"Action": [
  145"ecr:*",
  146"logs:CreateLogGroup",
  147"logs:CreateLogStream",
  148"logs:PutLogEvents",
  149"logs:DescribeLogStreams",
  150"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:152
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  152  [            "Resource": "*",
  ...  
  158    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-17 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:197-203
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  197"Action": [
  198"logs:CreateLogStream",
  199"logs:PutLogEvents",
  200"ecr:*",
  201"iam:*",
  202"ec2:*"
  203  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:187-209 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #18 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  204  [        "Resource": "*"
  ...  
  209    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:126-134
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132      internal                   = false
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:132
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132  [   internal                   = false (false)
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:211-229
────────────────────────────────────────────────────────────────────────────────
  211  ┌ resource "aws_security_group" "ecs_service" {
  212  │   name_prefix = "ecs-service-sg-"
  213  │   vpc_id      = data.aws_vpc.shared.id
  214215  │   ingress {
  216  │     from_port       = 80
  217  │     to_port         = 80
  218  │     protocol        = "tcp"
  219  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223-228
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  223  ┌   egress {
  224  │     from_port   = 0
  225  │     to_port     = 0
  226  │     protocol    = "-1"
  227  │     cidr_blocks = ["0.0.0.0/0"]
  228  └   }
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name              = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:31-52
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   31  ┌   ingress {
   32  │     from_port = 443
   33  │     to_port   = 443
   34  │     protocol  = "tcp"
   35  │     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:77-122
────────────────────────────────────────────────────────────────────────────────
   71    resource "aws_security_group" "lb_sc_pingdom" {
   72      name        = "load balancer Pingdom security group"
   73      description = "control Pingdom access to the load balancer"
   74      vpc_id      = data.aws_vpc.shared.id
   75    
   76      // Allow all European Pingdom IP addresses
   77  ┌   ingress {
   78  │     from_port = 443
   79  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             313.2µs
  parsing              24.803263ms
  adaptation           672.902µs
  checks               32.842482ms
  total                58.631847ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     86
  files read           15

  results
  ──────────────────────────────────────────
  passed               38
  ignored              1
  critical             12
  high                 12
  medium               2
  low                  8

  38 passed, 1 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/pra-register

*****************************

Running Checkov in terraform/environments/pra-register
terraform scan results:

Passed checks: 65, Failed checks: 38, Skipped checks: 0

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.pra_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.pra_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "pra_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.pra_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.pra_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.pra_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.pra_target_group.arn
		99  |     container_name   = "pra-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:211-229
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		211 | resource "aws_security_group" "ecs_service" {
		212 |   name_prefix = "ecs-service-sg-"
		213 |   vpc_id      = data.aws_vpc.shared.id
		214 | 
		215 |   ingress {
		216 |     from_port       = 80
		217 |     to_port         = 80
		218 |     protocol        = "tcp"
		219 |     description     = "Allow traffic on port 80 from load balancer"
		220 |     security_groups = [aws_security_group.pra_lb_sc.id]
		221 |   }
		222 | 
		223 |   egress {
		224 |     from_port   = 0
		225 |     to_port     = 0
		226 |     protocol    = "-1"
		227 |     cidr_blocks = ["0.0.0.0/0"]
		228 |   }
		229 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.pra_lb_sc
	File: /load_balancer.tf:1-69
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:71-123
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.pra_target_group
	File: /load_balancer.tf:136-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		136 | resource "aws_lb_target_group" "pra_target_group" {
		137 |   name                 = "pra-target-group"
		138 |   port                 = 80
		139 |   protocol             = "HTTP"
		140 |   vpc_id               = data.aws_vpc.shared.id
		141 |   target_type          = "ip"
		142 |   deregistration_delay = 30
		143 | 
		144 |   stickiness {
		145 |     type = "lb_cookie"
		146 |   }
		147 | 
		148 |   health_check {
		149 |     healthy_threshold   = "3"
		150 |     interval            = "30"
		151 |     protocol            = "HTTP"
		152 |     port                = "80"
		153 |     unhealthy_threshold = "5"
		154 |     matcher             = "200-302"
		155 |     timeout             = "10"
		156 |   }
		157 | 
		158 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/pra-register

*****************************

Running tflint in terraform/environments/pra-register
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 39:
  39:           value = "${aws_db_instance.pra_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 47:
  47:           value = "${aws_db_instance.pra_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 51:
  51:           value = "${aws_db_instance.pra_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 55:
  55:           value = "${aws_db_instance.pra_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 106:
 106:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 124:
 124:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/rds.tf line 129:
 129: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 146:
 146:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/secrets.tf line 18:
  18:   secret_string = jsonencode({ "PRA_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@tajewole-moj tajewole-moj temporarily deployed to apex-development October 26, 2023 10:07 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/pra-register

*****************************

Running TFSEC in terraform/environments/pra-register
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  227  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-7 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:35-51
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   35  ┌     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   38"157.203.176.0/25",
   39"194.33.196.0/25",
   40"93.56.171.15/32",
   41"195.59.75.0/24",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-69 (aws_security_group.pra_lb_sc) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:59
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   59  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:67
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   67  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "pra_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:76
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   76  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   79    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-151
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144"Action": [
  145"ecr:*",
  146"logs:CreateLogGroup",
  147"logs:CreateLogStream",
  148"logs:PutLogEvents",
  149"logs:DescribeLogStreams",
  150"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:152
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  152  [            "Resource": "*",
  ...  
  158    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-17 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:197-203
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  197"Action": [
  198"logs:CreateLogStream",
  199"logs:PutLogEvents",
  200"ecr:*",
  201"iam:*",
  202"ec2:*"
  203  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:187-209 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #18 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  204  [        "Resource": "*"
  ...  
  209    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:126-134
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132      internal                   = false
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:132
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132  [   internal                   = false (false)
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:211-229
────────────────────────────────────────────────────────────────────────────────
  211  ┌ resource "aws_security_group" "ecs_service" {
  212  │   name_prefix = "ecs-service-sg-"
  213  │   vpc_id      = data.aws_vpc.shared.id
  214215  │   ingress {
  216  │     from_port       = 80
  217  │     to_port         = 80
  218  │     protocol        = "tcp"
  219  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223-228
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  223  ┌   egress {
  224  │     from_port   = 0
  225  │     to_port     = 0
  226  │     protocol    = "-1"
  227  │     cidr_blocks = ["0.0.0.0/0"]
  228  └   }
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name              = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:31-52
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   31  ┌   ingress {
   32  │     from_port = 443
   33  │     to_port   = 443
   34  │     protocol  = "tcp"
   35  │     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:77-122
────────────────────────────────────────────────────────────────────────────────
   71    resource "aws_security_group" "lb_sc_pingdom" {
   72      name        = "load balancer Pingdom security group"
   73      description = "control Pingdom access to the load balancer"
   74      vpc_id      = data.aws_vpc.shared.id
   75    
   76      // Allow all European Pingdom IP addresses
   77  ┌   ingress {
   78  │     from_port = 443
   79  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             310.302µs
  parsing              21.446456ms
  adaptation           685.202µs
  checks               36.419496ms
  total                58.861456ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     86
  files read           15

  results
  ──────────────────────────────────────────
  passed               38
  ignored              1
  critical             12
  high                 12
  medium               2
  low                  8

  38 passed, 1 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/pra-register

*****************************

Running Checkov in terraform/environments/pra-register
terraform scan results:

Passed checks: 65, Failed checks: 38, Skipped checks: 0

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.pra_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.pra_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "pra_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.pra_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.pra_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.pra_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.pra_target_group.arn
		99  |     container_name   = "pra-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:211-229
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		211 | resource "aws_security_group" "ecs_service" {
		212 |   name_prefix = "ecs-service-sg-"
		213 |   vpc_id      = data.aws_vpc.shared.id
		214 | 
		215 |   ingress {
		216 |     from_port       = 80
		217 |     to_port         = 80
		218 |     protocol        = "tcp"
		219 |     description     = "Allow traffic on port 80 from load balancer"
		220 |     security_groups = [aws_security_group.pra_lb_sc.id]
		221 |   }
		222 | 
		223 |   egress {
		224 |     from_port   = 0
		225 |     to_port     = 0
		226 |     protocol    = "-1"
		227 |     cidr_blocks = ["0.0.0.0/0"]
		228 |   }
		229 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.pra_lb_sc
	File: /load_balancer.tf:1-69
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:71-123
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.pra_target_group
	File: /load_balancer.tf:136-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		136 | resource "aws_lb_target_group" "pra_target_group" {
		137 |   name                 = "pra-target-group"
		138 |   port                 = 80
		139 |   protocol             = "HTTP"
		140 |   vpc_id               = data.aws_vpc.shared.id
		141 |   target_type          = "ip"
		142 |   deregistration_delay = 30
		143 | 
		144 |   stickiness {
		145 |     type = "lb_cookie"
		146 |   }
		147 | 
		148 |   health_check {
		149 |     healthy_threshold   = "3"
		150 |     interval            = "30"
		151 |     protocol            = "HTTP"
		152 |     port                = "80"
		153 |     unhealthy_threshold = "5"
		154 |     matcher             = "200-302"
		155 |     timeout             = "10"
		156 |   }
		157 | 
		158 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/pra-register

*****************************

Running tflint in terraform/environments/pra-register
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 39:
  39:           value = "${aws_db_instance.pra_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 47:
  47:           value = "${aws_db_instance.pra_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 51:
  51:           value = "${aws_db_instance.pra_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 55:
  55:           value = "${aws_db_instance.pra_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 106:
 106:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 124:
 124:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/rds.tf line 129:
 129: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 146:
 146:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/secrets.tf line 18:
  18:   secret_string = jsonencode({ "PRA_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@tajewole-moj tajewole-moj temporarily deployed to apex-development October 26, 2023 14:28 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/pra-register

*****************************

Running TFSEC in terraform/environments/pra-register
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  227  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-7 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:35-51
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   35  ┌     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   38"157.203.176.0/25",
   39"194.33.196.0/25",
   40"93.56.171.15/32",
   41"195.59.75.0/24",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-69 (aws_security_group.pra_lb_sc) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:59
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   59  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:67
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   67  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "pra_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:80
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   80  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   83    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-151
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144"Action": [
  145"ecr:*",
  146"logs:CreateLogGroup",
  147"logs:CreateLogStream",
  148"logs:PutLogEvents",
  149"logs:DescribeLogStreams",
  150"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:152
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  152  [            "Resource": "*",
  ...  
  158    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-17 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:197-203
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  197"Action": [
  198"logs:CreateLogStream",
  199"logs:PutLogEvents",
  200"ecr:*",
  201"iam:*",
  202"ec2:*"
  203  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:187-209 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #18 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  204  [        "Resource": "*"
  ...  
  209    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:126-134
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132      internal                   = false
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:132
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132  [   internal                   = false (false)
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:211-229
────────────────────────────────────────────────────────────────────────────────
  211  ┌ resource "aws_security_group" "ecs_service" {
  212  │   name_prefix = "ecs-service-sg-"
  213  │   vpc_id      = data.aws_vpc.shared.id
  214215  │   ingress {
  216  │     from_port       = 80
  217  │     to_port         = 80
  218  │     protocol        = "tcp"
  219  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223-228
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  223  ┌   egress {
  224  │     from_port   = 0
  225  │     to_port     = 0
  226  │     protocol    = "-1"
  227  │     cidr_blocks = ["0.0.0.0/0"]
  228  └   }
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name              = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:31-52
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   31  ┌   ingress {
   32  │     from_port = 443
   33  │     to_port   = 443
   34  │     protocol  = "tcp"
   35  │     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:77-122
────────────────────────────────────────────────────────────────────────────────
   71    resource "aws_security_group" "lb_sc_pingdom" {
   72      name        = "load balancer Pingdom security group"
   73      description = "control Pingdom access to the load balancer"
   74      vpc_id      = data.aws_vpc.shared.id
   75    
   76      // Allow all European Pingdom IP addresses
   77  ┌   ingress {
   78  │     from_port = 443
   79  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             783.207µs
  parsing              1.832056374s
  adaptation           2.988132ms
  checks               57.877115ms
  total                1.893704828s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     182
  files read           24

  results
  ──────────────────────────────────────────
  passed               54
  ignored              29
  critical             12
  high                 12
  medium               2
  low                  8

  54 passed, 29 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/pra-register

*****************************

Running Checkov in terraform/environments/pra-register
2023-10-26 14:30:41,002 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 65, Failed checks: 39, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name          = "bastion-example"
		11 |   bucket_versioning    = true
		12 |   bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.pra_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.pra_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "pra_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.pra_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.pra_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.pra_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.pra_target_group.arn
		99  |     container_name   = "pra-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:211-229
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		211 | resource "aws_security_group" "ecs_service" {
		212 |   name_prefix = "ecs-service-sg-"
		213 |   vpc_id      = data.aws_vpc.shared.id
		214 | 
		215 |   ingress {
		216 |     from_port       = 80
		217 |     to_port         = 80
		218 |     protocol        = "tcp"
		219 |     description     = "Allow traffic on port 80 from load balancer"
		220 |     security_groups = [aws_security_group.pra_lb_sc.id]
		221 |   }
		222 | 
		223 |   egress {
		224 |     from_port   = 0
		225 |     to_port     = 0
		226 |     protocol    = "-1"
		227 |     cidr_blocks = ["0.0.0.0/0"]
		228 |   }
		229 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.pra_lb_sc
	File: /load_balancer.tf:1-69
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:71-123
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.pra_target_group
	File: /load_balancer.tf:136-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		136 | resource "aws_lb_target_group" "pra_target_group" {
		137 |   name                 = "pra-target-group"
		138 |   port                 = 80
		139 |   protocol             = "HTTP"
		140 |   vpc_id               = data.aws_vpc.shared.id
		141 |   target_type          = "ip"
		142 |   deregistration_delay = 30
		143 | 
		144 |   stickiness {
		145 |     type = "lb_cookie"
		146 |   }
		147 | 
		148 |   health_check {
		149 |     healthy_threshold   = "3"
		150 |     interval            = "30"
		151 |     protocol            = "HTTP"
		152 |     port                = "80"
		153 |     unhealthy_threshold = "5"
		154 |     matcher             = "200-302"
		155 |     timeout             = "10"
		156 |   }
		157 | 
		158 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/pra-register

*****************************

Running tflint in terraform/environments/pra-register
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 39:
  39:           value = "${aws_db_instance.pra_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 47:
  47:           value = "${aws_db_instance.pra_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 51:
  51:           value = "${aws_db_instance.pra_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 55:
  55:           value = "${aws_db_instance.pra_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 110:
 110:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 128:
 128:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/rds.tf line 133:
 133: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 150:
 150:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/secrets.tf line 18:
  18:   secret_string = jsonencode({ "PRA_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/pra-register

*****************************

Running TFSEC in terraform/environments/pra-register
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  227  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-7 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:35-51
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   35  ┌     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   38"157.203.176.0/25",
   39"194.33.196.0/25",
   40"93.56.171.15/32",
   41"195.59.75.0/24",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-69 (aws_security_group.pra_lb_sc) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:59
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   59  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:67
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   67  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "pra_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:80
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   80  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   83    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-151
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144"Action": [
  145"ecr:*",
  146"logs:CreateLogGroup",
  147"logs:CreateLogStream",
  148"logs:PutLogEvents",
  149"logs:DescribeLogStreams",
  150"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:152
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  152  [            "Resource": "*",
  ...  
  158    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-17 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:197-203
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  197"Action": [
  198"logs:CreateLogStream",
  199"logs:PutLogEvents",
  200"ecr:*",
  201"iam:*",
  202"ec2:*"
  203  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:187-209 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #18 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  204  [        "Resource": "*"
  ...  
  209    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:126-134
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132      internal                   = false
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:132
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132  [   internal                   = false (false)
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:211-229
────────────────────────────────────────────────────────────────────────────────
  211  ┌ resource "aws_security_group" "ecs_service" {
  212  │   name_prefix = "ecs-service-sg-"
  213  │   vpc_id      = data.aws_vpc.shared.id
  214215  │   ingress {
  216  │     from_port       = 80
  217  │     to_port         = 80
  218  │     protocol        = "tcp"
  219  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223-228
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  223  ┌   egress {
  224  │     from_port   = 0
  225  │     to_port     = 0
  226  │     protocol    = "-1"
  227  │     cidr_blocks = ["0.0.0.0/0"]
  228  └   }
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name              = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:31-52
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   31  ┌   ingress {
   32  │     from_port = 443
   33  │     to_port   = 443
   34  │     protocol  = "tcp"
   35  │     cidr_blocks = [
   36"201.33.21.5/32",
   37"213.121.161.124/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:77-122
────────────────────────────────────────────────────────────────────────────────
   71    resource "aws_security_group" "lb_sc_pingdom" {
   72      name        = "load balancer Pingdom security group"
   73      description = "control Pingdom access to the load balancer"
   74      vpc_id      = data.aws_vpc.shared.id
   75    
   76      // Allow all European Pingdom IP addresses
   77  ┌   ingress {
   78  │     from_port = 443
   79  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             540.4µs
  parsing              2.230531715s
  adaptation           3.180401ms
  checks               46.403311ms
  total                2.280655827s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     182
  files read           24

  results
  ──────────────────────────────────────────
  passed               54
  ignored              29
  critical             12
  high                 12
  medium               2
  low                  8

  54 passed, 29 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/pra-register

*****************************

Running Checkov in terraform/environments/pra-register
2023-10-26 14:36:33,395 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 65, Failed checks: 39, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name          = "bastion-example"
		11 |   bucket_versioning    = true
		12 |   bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.pra_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.pra_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "pra_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.pra_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.pra_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.pra_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.pra_target_group.arn
		99  |     container_name   = "pra-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:211-229
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		211 | resource "aws_security_group" "ecs_service" {
		212 |   name_prefix = "ecs-service-sg-"
		213 |   vpc_id      = data.aws_vpc.shared.id
		214 | 
		215 |   ingress {
		216 |     from_port       = 80
		217 |     to_port         = 80
		218 |     protocol        = "tcp"
		219 |     description     = "Allow traffic on port 80 from load balancer"
		220 |     security_groups = [aws_security_group.pra_lb_sc.id]
		221 |   }
		222 | 
		223 |   egress {
		224 |     from_port   = 0
		225 |     to_port     = 0
		226 |     protocol    = "-1"
		227 |     cidr_blocks = ["0.0.0.0/0"]
		228 |   }
		229 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.pra_lb_sc
	File: /load_balancer.tf:1-69
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:71-123
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.pra_target_group
	File: /load_balancer.tf:136-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		136 | resource "aws_lb_target_group" "pra_target_group" {
		137 |   name                 = "pra-target-group"
		138 |   port                 = 80
		139 |   protocol             = "HTTP"
		140 |   vpc_id               = data.aws_vpc.shared.id
		141 |   target_type          = "ip"
		142 |   deregistration_delay = 30
		143 | 
		144 |   stickiness {
		145 |     type = "lb_cookie"
		146 |   }
		147 | 
		148 |   health_check {
		149 |     healthy_threshold   = "3"
		150 |     interval            = "30"
		151 |     protocol            = "HTTP"
		152 |     port                = "80"
		153 |     unhealthy_threshold = "5"
		154 |     matcher             = "200-302"
		155 |     timeout             = "10"
		156 |   }
		157 | 
		158 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/pra-register

*****************************

Running tflint in terraform/environments/pra-register
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 39:
  39:           value = "${aws_db_instance.pra_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 47:
  47:           value = "${aws_db_instance.pra_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 51:
  51:           value = "${aws_db_instance.pra_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 55:
  55:           value = "${aws_db_instance.pra_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 110:
 110:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 128:
 128:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/rds.tf line 133:
 133: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 150:
 150:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/secrets.tf line 18:
  18:   secret_string = jsonencode({ "PRA_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Copy link
Contributor

@tmahmood72 tmahmood72 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tajewole-moj tajewole-moj merged commit 6972e89 into main Oct 26, 2023
11 of 16 checks passed
@tajewole-moj tajewole-moj deleted the LAWS-3514-Backup-Lambda branch October 26, 2023 14:48
@tajewole-moj tajewole-moj temporarily deployed to apex-development October 27, 2023 10:12 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants