rebuilding r3 web server to subnet a and adding dns records to region 3 #3713

haitchison · 2023-10-18T09:39:56Z

No description provided.

github-actions · 2023-10-18T09:42:48Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28  │       "kms:Encrypt",
   29  │       "kms:Decrypt",
   30  │       "kms:ReEncrypt*",
   31  │       "kms:GenerateDataKey*",
   32  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses sensitive action 'ssm:PutParameter' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:94
────────────────────────────────────────────────────────────────────────────────
   87    data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
   88      statement {
   89        sid    = "AllowAccessToSsmParameterStore"
   90        effect = "Allow"
   91        actions = [
   92          "ssm:PutParameter"
   93        ]
   94  [     resources = ["*"]
   95      }
   96    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   44  ┌     actions = [
   45  │       "s3:*"
   46  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'd8734fed-8c76-4338-97bf-c2db52f50716' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   47  ┌     resources = [
   48  │       "${module.s3_bucket_oracledb_backups.bucket.arn}",
   49  │       "${module.s3_bucket_oracledb_backups.bucket.arn}/*"
   50  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #23-24 HIGH IAM policy document uses wildcarded action 's3:Get*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:56-59
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   56  ┌     actions = [
   57  │       "s3:Get*",
   58  │       "s3:List*"
   59  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_s3.tf:40-77 (data.aws_iam_policy_document.oracledb_backup_bucket_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH IAM policy document uses sensitive action 's3:GetBucketLocation' on wildcarded resource 'arn:aws:s3:::*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:73-75
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   73  ┌     resources = [
   74  │       "arn:aws:s3:::*"
   75  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #26 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #28-32 HIGH IAM policy document uses wildcarded action 'backup:*' (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-70
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52  │       "backup:*",
   53  │       "datasync:*",
   54  │       "elasticfilesystem:*",
   55  │       "ec2:DescribeInstances",
   56  │       "ec2:CreateNetworkInterface",
   57  └       "ec2:AttachNetworkInterface",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-82 (data.aws_iam_policy_document.ldap_datasync_role_access) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:71
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   71  [     resources = ["*"]
   ..  
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:76
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   76  [     actions = ["s3:*"]
   ..  
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #35 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'arn:aws:s3:::*-ldap-data-refresh-incoming' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:77-80
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   77  ┌     resources = [
   78  │       "arn:aws:s3:::*-ldap-data-refresh-incoming",
   79  │       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
   80  └     ]
   ..  
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #36 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #37-38 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #39 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #40 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #41-42 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via db_s3.tf:1-38 (module.s3_bucket_oracledb_backups)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:111-125 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #44 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #45 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #46 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #47 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #48 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_ingress_vpc" {
   65      type              = "ingress"
   66      from_port         = 2049
   67      to_port           = 2049
   68      protocol          = "tcp"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #49 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:73-80
────────────────────────────────────────────────────────────────────────────────
   73    resource "aws_security_group_rule" "efs_egress" {
   74      type              = "egress"
   75      from_port         = 0
   76      to_port           = 0
   77      protocol          = "all"
   78      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   79      security_group_id = aws_security_group.ldap_efs.id
   80    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #50 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.50966ms
  parsing              2.638525964s
  adaptation           14.151141ms
  checks               12.927112ms
  total                2.668113877s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     655
  files read           74

  results
  ──────────────────────────────────────────
  passed               241
  ignored              20
  critical             2
  high                 38
  medium               2
  low                  8

  241 passed, 20 ignored, 50 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-18 09:42:45,402 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-18 09:42:45,402 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-18 09:42:45,403 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-18 09:42:45,403 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 670, Failed checks: 79, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id, aws_security_group.delius_db_security_group.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /db_iam.tf:87-96
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		87 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		88 |   statement {
		89 |     sid    = "AllowAccessToSsmParameterStore"
		90 |     effect = "Allow"
		91 |     actions = [
		92 |       "ssm:PutParameter"
		93 |     ]
		94 |     resources = ["*"]
		95 |   }
		96 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /db_iam.tf:87-96

		87 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		88 |   statement {
		89 |     sid    = "AllowAccessToSsmParameterStore"
		90 |     effect = "Allow"
		91 |     actions = [
		92 |       "ssm:PutParameter"
		93 |     ]
		94 |     resources = ["*"]
		95 |   }
		96 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:111-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		111 | module "s3_bucket_ldap_data_refresh" {
		112 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		113 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		114 |   versioning_enabled  = false
		115 |   ownership_controls  = "BucketOwnerEnforced"
		116 |   replication_enabled = false
		117 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		118 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		119 | 
		120 |   providers = {
		121 |     aws.bucket-replication = aws.bucket-replication
		122 |   }
		123 | 
		124 |   tags = local.tags
		125 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-82
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |       "ec2:DescribeInstances",
		56 |       "ec2:CreateNetworkInterface",
		57 |       "ec2:AttachNetworkInterface",
		58 |       "ec2:DescribeNetworkInterfaces",
		59 |       "ec2:DeleteNetworkInterface",
		60 |       "kms:Encrypt",
		61 |       "kms:Decrypt",
		62 |       "kms:ReEncrypt*",
		63 |       "kms:DescribeKey",
		64 |       "kms:GetPublicKey",
		65 |       "kms:ReEncrypt*",
		66 |       "kms:GenerateDataKey",
		67 |       "kms:CreateGrant",
		68 |       "kms:ListGrants",
		69 |       "kms:RevokeGrant"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 |   statement {
		74 |     sid     = "allowAccessForDataSync"
		75 |     effect  = "Allow"
		76 |     actions = ["s3:*"]
		77 |     resources = [
		78 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		79 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		80 |     ]
		81 |   }
		82 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-82
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |       "ec2:DescribeInstances",
		56 |       "ec2:CreateNetworkInterface",
		57 |       "ec2:AttachNetworkInterface",
		58 |       "ec2:DescribeNetworkInterfaces",
		59 |       "ec2:DeleteNetworkInterface",
		60 |       "kms:Encrypt",
		61 |       "kms:Decrypt",
		62 |       "kms:ReEncrypt*",
		63 |       "kms:DescribeKey",
		64 |       "kms:GetPublicKey",
		65 |       "kms:ReEncrypt*",
		66 |       "kms:GenerateDataKey",
		67 |       "kms:CreateGrant",
		68 |       "kms:ListGrants",
		69 |       "kms:RevokeGrant"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 |   statement {
		74 |     sid     = "allowAccessForDataSync"
		75 |     effect  = "Allow"
		76 |     actions = ["s3:*"]
		77 |     resources = [
		78 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		79 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		80 |     ]
		81 |   }
		82 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-82

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |       "ec2:DescribeInstances",
		56 |       "ec2:CreateNetworkInterface",
		57 |       "ec2:AttachNetworkInterface",
		58 |       "ec2:DescribeNetworkInterfaces",
		59 |       "ec2:DeleteNetworkInterface",
		60 |       "kms:Encrypt",
		61 |       "kms:Decrypt",
		62 |       "kms:ReEncrypt*",
		63 |       "kms:DescribeKey",
		64 |       "kms:GetPublicKey",
		65 |       "kms:ReEncrypt*",
		66 |       "kms:GenerateDataKey",
		67 |       "kms:CreateGrant",
		68 |       "kms:ListGrants",
		69 |       "kms:RevokeGrant"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 |   statement {
		74 |     sid     = "allowAccessForDataSync"
		75 |     effect  = "Allow"
		76 |     actions = ["s3:*"]
		77 |     resources = [
		78 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		79 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		80 |     ]
		81 |   }
		82 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_vpc
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_ingress_vpc" {
		65 |   type              = "ingress"
		66 |   from_port         = 2049
		67 |   to_port           = 2049
		68 |   protocol          = "tcp"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:73-80
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		73 | resource "aws_security_group_rule" "efs_egress" {
		74 |   type              = "egress"
		75 |   from_port         = 0
		76 |   to_port           = 0
		77 |   protocol          = "all"
		78 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		79 |   security_group_id = aws_security_group.ldap_efs.id
		80 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:57-69
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		57 | resource "aws_lb" "delius_core_frontend" {
		58 |   # checkov:skip=CKV_AWS_91
		59 |   # checkov:skip=CKV2_AWS_28
		60 | 
		61 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		62 |   internal           = false
		63 |   load_balancer_type = "application"
		64 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		65 |   subnets            = var.account_config.public_subnet_ids
		66 | 
		67 |   enable_deletion_protection = false
		68 |   drop_invalid_header_fields = true
		69 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 91:
  91:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

github-actions · 2023-10-18T10:05:57Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28  │       "kms:Encrypt",
   29  │       "kms:Decrypt",
   30  │       "kms:ReEncrypt*",
   31  │       "kms:GenerateDataKey*",
   32  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses sensitive action 'ssm:PutParameter' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:94
────────────────────────────────────────────────────────────────────────────────
   87    data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
   88      statement {
   89        sid    = "AllowAccessToSsmParameterStore"
   90        effect = "Allow"
   91        actions = [
   92          "ssm:PutParameter"
   93        ]
   94  [     resources = ["*"]
   95      }
   96    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   44  ┌     actions = [
   45  │       "s3:*"
   46  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '3567309c-9205-4a4c-becd-9e904179a7b2' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   47  ┌     resources = [
   48  │       "${module.s3_bucket_oracledb_backups.bucket.arn}",
   49  │       "${module.s3_bucket_oracledb_backups.bucket.arn}/*"
   50  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #23-24 HIGH IAM policy document uses wildcarded action 's3:Get*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:56-59
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   56  ┌     actions = [
   57  │       "s3:Get*",
   58  │       "s3:List*"
   59  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_s3.tf:40-77 (data.aws_iam_policy_document.oracledb_backup_bucket_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH IAM policy document uses sensitive action 's3:GetBucketLocation' on wildcarded resource 'arn:aws:s3:::*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:73-75
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   ..  
   73  ┌     resources = [
   74  │       "arn:aws:s3:::*"
   75  └     ]
   ..  
   77    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #26 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #28-32 HIGH IAM policy document uses wildcarded action 'backup:*' (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-70
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52  │       "backup:*",
   53  │       "datasync:*",
   54  │       "elasticfilesystem:*",
   55  │       "ec2:DescribeInstances",
   56  │       "ec2:CreateNetworkInterface",
   57  └       "ec2:AttachNetworkInterface",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-82 (data.aws_iam_policy_document.ldap_datasync_role_access) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:71
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   71  [     resources = ["*"]
   ..  
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:76
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   76  [     actions = ["s3:*"]
   ..  
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #35 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'arn:aws:s3:::*-ldap-data-refresh-incoming' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:77-80
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   77  ┌     resources = [
   78  │       "arn:aws:s3:::*-ldap-data-refresh-incoming",
   79  │       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
   80  └     ]
   ..  
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #36 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #37-38 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #39 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #40 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #41-42 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via db_s3.tf:1-38 (module.s3_bucket_oracledb_backups)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:111-125 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #44 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #45 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #46 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #47 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #48 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_ingress_vpc" {
   65      type              = "ingress"
   66      from_port         = 2049
   67      to_port           = 2049
   68      protocol          = "tcp"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #49 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:73-80
────────────────────────────────────────────────────────────────────────────────
   73    resource "aws_security_group_rule" "efs_egress" {
   74      type              = "egress"
   75      from_port         = 0
   76      to_port           = 0
   77      protocol          = "all"
   78      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   79      security_group_id = aws_security_group.ldap_efs.id
   80    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #50 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.743494ms
  parsing              2.801133847s
  adaptation           12.273146ms
  checks               17.871721ms
  total                2.833022208s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     655
  files read           74

  results
  ──────────────────────────────────────────
  passed               241
  ignored              20
  critical             2
  high                 38
  medium               2
  low                  8

  241 passed, 20 ignored, 50 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-18 10:05:53,250 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-18 10:05:53,250 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-18 10:05:53,251 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-18 10:05:53,251 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 670, Failed checks: 79, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id, aws_security_group.delius_db_security_group.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /db_iam.tf:87-96
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		87 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		88 |   statement {
		89 |     sid    = "AllowAccessToSsmParameterStore"
		90 |     effect = "Allow"
		91 |     actions = [
		92 |       "ssm:PutParameter"
		93 |     ]
		94 |     resources = ["*"]
		95 |   }
		96 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /db_iam.tf:87-96

		87 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		88 |   statement {
		89 |     sid    = "AllowAccessToSsmParameterStore"
		90 |     effect = "Allow"
		91 |     actions = [
		92 |       "ssm:PutParameter"
		93 |     ]
		94 |     resources = ["*"]
		95 |   }
		96 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:111-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		111 | module "s3_bucket_ldap_data_refresh" {
		112 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		113 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		114 |   versioning_enabled  = false
		115 |   ownership_controls  = "BucketOwnerEnforced"
		116 |   replication_enabled = false
		117 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		118 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		119 | 
		120 |   providers = {
		121 |     aws.bucket-replication = aws.bucket-replication
		122 |   }
		123 | 
		124 |   tags = local.tags
		125 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-82
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |       "ec2:DescribeInstances",
		56 |       "ec2:CreateNetworkInterface",
		57 |       "ec2:AttachNetworkInterface",
		58 |       "ec2:DescribeNetworkInterfaces",
		59 |       "ec2:DeleteNetworkInterface",
		60 |       "kms:Encrypt",
		61 |       "kms:Decrypt",
		62 |       "kms:ReEncrypt*",
		63 |       "kms:DescribeKey",
		64 |       "kms:GetPublicKey",
		65 |       "kms:ReEncrypt*",
		66 |       "kms:GenerateDataKey",
		67 |       "kms:CreateGrant",
		68 |       "kms:ListGrants",
		69 |       "kms:RevokeGrant"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 |   statement {
		74 |     sid     = "allowAccessForDataSync"
		75 |     effect  = "Allow"
		76 |     actions = ["s3:*"]
		77 |     resources = [
		78 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		79 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		80 |     ]
		81 |   }
		82 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-82
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |       "ec2:DescribeInstances",
		56 |       "ec2:CreateNetworkInterface",
		57 |       "ec2:AttachNetworkInterface",
		58 |       "ec2:DescribeNetworkInterfaces",
		59 |       "ec2:DeleteNetworkInterface",
		60 |       "kms:Encrypt",
		61 |       "kms:Decrypt",
		62 |       "kms:ReEncrypt*",
		63 |       "kms:DescribeKey",
		64 |       "kms:GetPublicKey",
		65 |       "kms:ReEncrypt*",
		66 |       "kms:GenerateDataKey",
		67 |       "kms:CreateGrant",
		68 |       "kms:ListGrants",
		69 |       "kms:RevokeGrant"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 |   statement {
		74 |     sid     = "allowAccessForDataSync"
		75 |     effect  = "Allow"
		76 |     actions = ["s3:*"]
		77 |     resources = [
		78 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		79 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		80 |     ]
		81 |   }
		82 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-82

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |       "ec2:DescribeInstances",
		56 |       "ec2:CreateNetworkInterface",
		57 |       "ec2:AttachNetworkInterface",
		58 |       "ec2:DescribeNetworkInterfaces",
		59 |       "ec2:DeleteNetworkInterface",
		60 |       "kms:Encrypt",
		61 |       "kms:Decrypt",
		62 |       "kms:ReEncrypt*",
		63 |       "kms:DescribeKey",
		64 |       "kms:GetPublicKey",
		65 |       "kms:ReEncrypt*",
		66 |       "kms:GenerateDataKey",
		67 |       "kms:CreateGrant",
		68 |       "kms:ListGrants",
		69 |       "kms:RevokeGrant"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 |   statement {
		74 |     sid     = "allowAccessForDataSync"
		75 |     effect  = "Allow"
		76 |     actions = ["s3:*"]
		77 |     resources = [
		78 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		79 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		80 |     ]
		81 |   }
		82 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_vpc
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_ingress_vpc" {
		65 |   type              = "ingress"
		66 |   from_port         = 2049
		67 |   to_port           = 2049
		68 |   protocol          = "tcp"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:73-80
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		73 | resource "aws_security_group_rule" "efs_egress" {
		74 |   type              = "egress"
		75 |   from_port         = 0
		76 |   to_port           = 0
		77 |   protocol          = "all"
		78 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		79 |   security_group_id = aws_security_group.ldap_efs.id
		80 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:57-69
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		57 | resource "aws_lb" "delius_core_frontend" {
		58 |   # checkov:skip=CKV_AWS_91
		59 |   # checkov:skip=CKV2_AWS_28
		60 | 
		61 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		62 |   internal           = false
		63 |   load_balancer_type = "application"
		64 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		65 |   subnets            = var.account_config.public_subnet_ids
		66 | 
		67 |   enable_deletion_protection = false
		68 |   drop_invalid_header_fields = true
		69 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 91:
  91:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

rebuilding r3 web server to subnet a and adding dns records to region 3

273956e

haitchison requested review from a team as code owners October 18, 2023 09:39

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 18, 2023

keirwilliams previously approved these changes Oct 18, 2023

View reviewed changes

robertsweetman previously approved these changes Oct 18, 2023

View reviewed changes

updating SGs for web server

8d47fad

haitchison dismissed stale reviews from robertsweetman and keirwilliams via 8d47fad October 18, 2023 10:02

robertsweetman approved these changes Oct 18, 2023

View reviewed changes

haitchison merged commit 1351ceb into main Oct 18, 2023
15 of 16 checks passed

haitchison deleted the csr/r3-app-web-dns-update branch October 18, 2023 10:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rebuilding r3 web server to subnet a and adding dns records to region 3 #3713

rebuilding r3 web server to subnet a and adding dns records to region 3 #3713

haitchison commented Oct 18, 2023

github-actions bot commented Oct 18, 2023

github-actions bot commented Oct 18, 2023

rebuilding r3 web server to subnet a and adding dns records to region 3 #3713

rebuilding r3 web server to subnet a and adding dns records to region 3 #3713

Conversation

haitchison commented Oct 18, 2023

github-actions bot commented Oct 18, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Oct 18, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed