Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor dns/route53 records so only 1 certificate gets created #7789

Merged
merged 4 commits into from
Sep 20, 2024
Merged

Refactor dns/route53 records so only 1 certificate gets created #7789

merged 4 commits into from
Sep 20, 2024

Conversation

mark-butler-solirius
Copy link
Contributor

Add conditional resources to dns_ssl.tf to create different certificate/dns entries based on whether it is production or non-production. Previously, 2 certs were created in production

@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 17, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/wardship

Running Trivy in terraform/environments/wardship
2024-09-17T15:07:04Z INFO [db] Need to update DB
2024-09-17T15:07:04Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:07:06Z INFO [vuln] Vulnerability scanning is enabled
2024-09-17T15:07:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-17T15:07:06Z INFO Need to update the built-in policies
2024-09-17T15:07:06Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:07:06Z INFO [secret] Secret scanning is enabled
2024-09-17T15:07:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:07:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:07:07Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-17T15:07:07Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-17T15:07:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T15:07:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:07:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:07:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:07:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:07:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:07:08Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:07:08Z INFO Number of language-specific files num=0
2024-09-17T15:07:08Z INFO Detected config files num=7

ecs.tf (terraform)

Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:359-362
────────────────────────────────────────
359 ┌ resource "aws_ecr_repository" "wardship_ecr_repo" {
360 │ name = "wardship-ecr-repo"
361 │ force_delete = true
362 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:458-461
────────────────────────────────────────
458 ┌ resource "aws_sns_topic" "ddos_alarm" {
459 │ count = local.is-development ? 0 : 1
460 │ name = "wardship_ddos_alarm"
461 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:463-466
────────────────────────────────────────
463 ┌ resource "aws_sns_topic" "wardship_utilisation_alarm" {
464 │ count = local.is-development ? 0 : 1
465 │ name = "wardship_utilisation_alarm"
466 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:355
via ecs.tf:351-356 (egress)
via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
339 resource "aws_security_group" "ecs_service" {
...
355 [ cidr_blocks = ["0.0.0.0/0"]
...
357 }
────────────────────────────────────────

load_balancer.tf (terraform)

Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:234-242
────────────────────────────────────────
234 ┌ resource "aws_lb" "wardship_lb" {
235 │ name = "wardship-load-balancer"
236 │ load_balancer_type = "application"
237 │ security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 │ subnets = data.aws_subnets.shared-public.ids
239 │ enable_deletion_protection = false
240 │ internal = false
241 │ depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:240
via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
234 resource "aws_lb" "wardship_lb" {
235 name = "wardship-load-balancer"
236 load_balancer_type = "application"
237 security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 subnets = data.aws_subnets.shared-public.ids
239 enable_deletion_protection = false
240 [ internal = false
241 depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:83
via load_balancer.tf:78-84 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
83 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:75
via load_balancer.tf:70-76 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
75 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:53-67
via load_balancer.tf:49-68 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
53 ┌ cidr_blocks = [
54 │ "20.26.11.71/32",
55 │ "20.26.11.108/32",
56 │ "20.49.214.199/32",
57 │ "20.49.214.228/32",
58 │ "51.149.249.0/29",
59 └ "51.149.249.32/29",
..
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:27-45
via load_balancer.tf:23-46 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "194.33.193.0/25",
29 │ "179.50.12.212/32",
30 │ "93.56.171.15/32",
31 │ "52.67.148.55/32",
32 │ "194.33.197.0/25",
33 └ "213.121.161.124/32",
..
────────────────────────────────────────

rds.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "wardship_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
rds.tf:53
via rds.tf:48-54 (egress)
via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
26 resource "aws_security_group" "postgresql_db_sc" {
..
53 [ cidr_blocks = ["0.0.0.0/0"]
..
56 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/wardship

*****************************

Running Checkov in terraform/environments/wardship
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-17 15:07:10,704 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-09-17 15:07:10,704 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 91, Failed checks: 53, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # bucket_versioning    = true
		12 |   # bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "wardship-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:339-357
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		339 | resource "aws_security_group" "ecs_service" {
		340 |   name_prefix = "ecs-service-sg-"
		341 |   vpc_id      = data.aws_vpc.shared.id
		342 | 
		343 |   ingress {
		344 |     from_port       = 80
		345 |     to_port         = 80
		346 |     protocol        = "tcp"
		347 |     description     = "Allow traffic on port 80 from load balancer"
		348 |     security_groups = [aws_security_group.wardship_lb_sc.id]
		349 |   }
		350 | 
		351 |   egress {
		352 |     from_port   = 0
		353 |     to_port     = 0
		354 |     protocol    = "-1"
		355 |     cidr_blocks = ["0.0.0.0/0"]
		356 |   }
		357 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:458-461
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		458 | resource "aws_sns_topic" "ddos_alarm" {
		459 |   count = local.is-development ? 0 : 1
		460 |   name  = "wardship_ddos_alarm"
		461 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.wardship_utilisation_alarm
	File: /ecs.tf:463-466
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		463 | resource "aws_sns_topic" "wardship_utilisation_alarm" {
		464 |   count = local.is-development ? 0 : 1
		465 |   name  = "wardship_utilisation_alarm"
		466 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:486-494
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		486 | module "pagerduty_core_alerts_non_prod" {
		487 |   count = local.is-preproduction ? 1 : 0
		488 |   depends_on = [
		489 |     aws_sns_topic.wardship_utilisation_alarm
		490 |   ]
		491 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		492 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		493 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_non_prod_alarms"]
		494 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:497-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		497 | module "pagerduty_core_alerts_prod" {
		498 |   count = local.is-production ? 1 : 0
		499 |   depends_on = [
		500 |     aws_sns_topic.wardship_utilisation_alarm
		501 |   ]
		502 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		503 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		504 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
		505 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.wardship_lb_sc
	File: /load_balancer.tf:1-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:87-158
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom_2
	File: /load_balancer.tf:160-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:244-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		244 | resource "aws_lb_target_group" "wardship_target_group" {
		245 |   name                 = "wardship-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/wardship

*****************************

Running tflint in terraform/environments/wardship
Excluding the following checks: terraform_unused_declarations
22 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 54:
  54:           value = "${aws_db_instance.wardship_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 62:
  62:           value = "${aws_db_instance.wardship_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 66:
  66:           value = "${aws_db_instance.wardship_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 70:
  70:           value = "${aws_db_instance.wardship_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 133:
 133:           value = "${aws_db_instance.wardship_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 141:
 141:           value = "${aws_db_instance.wardship_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 145:
 145:           value = "${aws_db_instance.wardship_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 149:
 149:           value = "${aws_db_instance.wardship_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/rds.tf line 120:
 120: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 137:
 137:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/secrets.tf line 18:
  18:   secret_string = jsonencode({ "WARDSHIP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/wardship

*****************************

Running Trivy in terraform/environments/wardship
2024-09-17T15:07:04Z	INFO	[db] Need to update DB
2024-09-17T15:07:04Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:07:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-17T15:07:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-17T15:07:06Z	INFO	Need to update the built-in policies
2024-09-17T15:07:06Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:07:06Z	INFO	[secret] Secret scanning is enabled
2024-09-17T15:07:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:07:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:07:07Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-17T15:07:07Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-17T15:07:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T15:07:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:07:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:07:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:07:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:07:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:07:08Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:07:08Z	INFO	Number of language-specific files	num=0
2024-09-17T15:07:08Z	INFO	Detected config files	num=7

ecs.tf (terraform)
==================
Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:359-362
────────────────────────────────────────
 359resource "aws_ecr_repository" "wardship_ecr_repo" {
 360name         = "wardship-ecr-repo"
 361force_delete = true
 362 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:458-461
────────────────────────────────────────
 458resource "aws_sns_topic" "ddos_alarm" {
 459count = local.is-development ? 0 : 1
 460name  = "wardship_ddos_alarm"
 461 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:463-466
────────────────────────────────────────
 463resource "aws_sns_topic" "wardship_utilisation_alarm" {
 464count = local.is-development ? 0 : 1
 465name  = "wardship_utilisation_alarm"
 466 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:355
   via ecs.tf:351-356 (egress)
    via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
 339   resource "aws_security_group" "ecs_service" {
 ...   
 355 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 357   }
────────────────────────────────────────



load_balancer.tf (terraform)
============================
Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:234-242
────────────────────────────────────────
 234resource "aws_lb" "wardship_lb" {
 235 │   name                       = "wardship-load-balancer"
 236 │   load_balancer_type         = "application"
 237 │   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238 │   subnets                    = data.aws_subnets.shared-public.ids
 239 │   enable_deletion_protection = false
 240 │   internal                   = false
 241 │   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:240
   via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
 234   resource "aws_lb" "wardship_lb" {
 235     name                       = "wardship-load-balancer"
 236     load_balancer_type         = "application"
 237     security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238     subnets                    = data.aws_subnets.shared-public.ids
 239     enable_deletion_protection = false
 240 [   internal                   = false
 241     depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:83
   via load_balancer.tf:78-84 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  83 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:75
   via load_balancer.tf:70-76 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  75 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:53-67
   via load_balancer.tf:49-68 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  53 ┌     cidr_blocks = [
  54"20.26.11.71/32",
  55"20.26.11.108/32",
  56"20.49.214.199/32",
  57"20.49.214.228/32",
  58"51.149.249.0/29",
  59"51.149.249.32/29",
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:27-45
   via load_balancer.tf:23-46 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  27 ┌     cidr_blocks = [
  28"194.33.193.0/25",
  29"179.50.12.212/32",
  30"93.56.171.15/32",
  31"52.67.148.55/32",
  32"194.33.197.0/25",
  33"213.121.161.124/32",
  ..   
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "wardship_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 rds.tf:53
   via rds.tf:48-54 (egress)
    via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
  26   resource "aws_security_group" "postgresql_db_sc" {
  ..   
  53 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  56   }
────────────────────────────────────────


trivy_exitcode=1

matthewsearle01
matthewsearle01 previously approved these changes Sep 17, 2024
View reviewed changes
Copy link
Contributor

@matthewsearle01 matthewsearle01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good!

@mark-butler-solirius
Need 2 separate route53 resources for the main DNS entry for prod and…
af40a40 
… non-prod as you cannot have conditional provider
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/wardship

Running Trivy in terraform/environments/wardship
2024-09-17T15:42:06Z INFO [db] Need to update DB
2024-09-17T15:42:06Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:42:08Z INFO [vuln] Vulnerability scanning is enabled
2024-09-17T15:42:08Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-17T15:42:08Z INFO Need to update the built-in policies
2024-09-17T15:42:08Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:42:09Z INFO [secret] Secret scanning is enabled
2024-09-17T15:42:09Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:42:09Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:42:09Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-17T15:42:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-17T15:42:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:42:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:42:10Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T15:42:10Z INFO Number of language-specific files num=0
2024-09-17T15:42:10Z INFO Detected config files num=7

ecs.tf (terraform)

Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:359-362
────────────────────────────────────────
359 ┌ resource "aws_ecr_repository" "wardship_ecr_repo" {
360 │ name = "wardship-ecr-repo"
361 │ force_delete = true
362 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:458-461
────────────────────────────────────────
458 ┌ resource "aws_sns_topic" "ddos_alarm" {
459 │ count = local.is-development ? 0 : 1
460 │ name = "wardship_ddos_alarm"
461 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:463-466
────────────────────────────────────────
463 ┌ resource "aws_sns_topic" "wardship_utilisation_alarm" {
464 │ count = local.is-development ? 0 : 1
465 │ name = "wardship_utilisation_alarm"
466 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:355
via ecs.tf:351-356 (egress)
via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
339 resource "aws_security_group" "ecs_service" {
...
355 [ cidr_blocks = ["0.0.0.0/0"]
...
357 }
────────────────────────────────────────

load_balancer.tf (terraform)

Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:234-242
────────────────────────────────────────
234 ┌ resource "aws_lb" "wardship_lb" {
235 │ name = "wardship-load-balancer"
236 │ load_balancer_type = "application"
237 │ security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 │ subnets = data.aws_subnets.shared-public.ids
239 │ enable_deletion_protection = false
240 │ internal = false
241 │ depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:240
via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
234 resource "aws_lb" "wardship_lb" {
235 name = "wardship-load-balancer"
236 load_balancer_type = "application"
237 security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 subnets = data.aws_subnets.shared-public.ids
239 enable_deletion_protection = false
240 [ internal = false
241 depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:83
via load_balancer.tf:78-84 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
83 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:75
via load_balancer.tf:70-76 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
75 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:53-67
via load_balancer.tf:49-68 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
53 ┌ cidr_blocks = [
54 │ "20.26.11.71/32",
55 │ "20.26.11.108/32",
56 │ "20.49.214.199/32",
57 │ "20.49.214.228/32",
58 │ "51.149.249.0/29",
59 └ "51.149.249.32/29",
..
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:27-45
via load_balancer.tf:23-46 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "194.33.193.0/25",
29 │ "179.50.12.212/32",
30 │ "93.56.171.15/32",
31 │ "52.67.148.55/32",
32 │ "194.33.197.0/25",
33 └ "213.121.161.124/32",
..
────────────────────────────────────────

rds.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "wardship_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
rds.tf:53
via rds.tf:48-54 (egress)
via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
26 resource "aws_security_group" "postgresql_db_sc" {
..
53 [ cidr_blocks = ["0.0.0.0/0"]
..
56 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/wardship

*****************************

Running Checkov in terraform/environments/wardship
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-17 15:42:12,871 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-09-17 15:42:12,871 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 53, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # bucket_versioning    = true
		12 |   # bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "wardship-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:339-357
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		339 | resource "aws_security_group" "ecs_service" {
		340 |   name_prefix = "ecs-service-sg-"
		341 |   vpc_id      = data.aws_vpc.shared.id
		342 | 
		343 |   ingress {
		344 |     from_port       = 80
		345 |     to_port         = 80
		346 |     protocol        = "tcp"
		347 |     description     = "Allow traffic on port 80 from load balancer"
		348 |     security_groups = [aws_security_group.wardship_lb_sc.id]
		349 |   }
		350 | 
		351 |   egress {
		352 |     from_port   = 0
		353 |     to_port     = 0
		354 |     protocol    = "-1"
		355 |     cidr_blocks = ["0.0.0.0/0"]
		356 |   }
		357 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:458-461
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		458 | resource "aws_sns_topic" "ddos_alarm" {
		459 |   count = local.is-development ? 0 : 1
		460 |   name  = "wardship_ddos_alarm"
		461 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.wardship_utilisation_alarm
	File: /ecs.tf:463-466
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		463 | resource "aws_sns_topic" "wardship_utilisation_alarm" {
		464 |   count = local.is-development ? 0 : 1
		465 |   name  = "wardship_utilisation_alarm"
		466 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:486-494
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		486 | module "pagerduty_core_alerts_non_prod" {
		487 |   count = local.is-preproduction ? 1 : 0
		488 |   depends_on = [
		489 |     aws_sns_topic.wardship_utilisation_alarm
		490 |   ]
		491 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		492 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		493 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_non_prod_alarms"]
		494 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:497-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		497 | module "pagerduty_core_alerts_prod" {
		498 |   count = local.is-production ? 1 : 0
		499 |   depends_on = [
		500 |     aws_sns_topic.wardship_utilisation_alarm
		501 |   ]
		502 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		503 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		504 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
		505 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.wardship_lb_sc
	File: /load_balancer.tf:1-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:87-158
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom_2
	File: /load_balancer.tf:160-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:244-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		244 | resource "aws_lb_target_group" "wardship_target_group" {
		245 |   name                 = "wardship-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/wardship

*****************************

Running tflint in terraform/environments/wardship
Excluding the following checks: terraform_unused_declarations
22 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 54:
  54:           value = "${aws_db_instance.wardship_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 62:
  62:           value = "${aws_db_instance.wardship_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 66:
  66:           value = "${aws_db_instance.wardship_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 70:
  70:           value = "${aws_db_instance.wardship_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 133:
 133:           value = "${aws_db_instance.wardship_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 141:
 141:           value = "${aws_db_instance.wardship_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 145:
 145:           value = "${aws_db_instance.wardship_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 149:
 149:           value = "${aws_db_instance.wardship_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/rds.tf line 120:
 120: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 137:
 137:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/secrets.tf line 18:
  18:   secret_string = jsonencode({ "WARDSHIP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/wardship

*****************************

Running Trivy in terraform/environments/wardship
2024-09-17T15:42:06Z	INFO	[db] Need to update DB
2024-09-17T15:42:06Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:42:08Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-17T15:42:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-17T15:42:08Z	INFO	Need to update the built-in policies
2024-09-17T15:42:08Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:42:09Z	INFO	[secret] Secret scanning is enabled
2024-09-17T15:42:09Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:42:09Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:42:09Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-17T15:42:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-17T15:42:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:42:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:42:10Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T15:42:10Z	INFO	Number of language-specific files	num=0
2024-09-17T15:42:10Z	INFO	Detected config files	num=7

ecs.tf (terraform)
==================
Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:359-362
────────────────────────────────────────
 359resource "aws_ecr_repository" "wardship_ecr_repo" {
 360name         = "wardship-ecr-repo"
 361force_delete = true
 362 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:458-461
────────────────────────────────────────
 458resource "aws_sns_topic" "ddos_alarm" {
 459count = local.is-development ? 0 : 1
 460name  = "wardship_ddos_alarm"
 461 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:463-466
────────────────────────────────────────
 463resource "aws_sns_topic" "wardship_utilisation_alarm" {
 464count = local.is-development ? 0 : 1
 465name  = "wardship_utilisation_alarm"
 466 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:355
   via ecs.tf:351-356 (egress)
    via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
 339   resource "aws_security_group" "ecs_service" {
 ...   
 355 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 357   }
────────────────────────────────────────



load_balancer.tf (terraform)
============================
Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:234-242
────────────────────────────────────────
 234resource "aws_lb" "wardship_lb" {
 235 │   name                       = "wardship-load-balancer"
 236 │   load_balancer_type         = "application"
 237 │   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238 │   subnets                    = data.aws_subnets.shared-public.ids
 239 │   enable_deletion_protection = false
 240 │   internal                   = false
 241 │   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:240
   via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
 234   resource "aws_lb" "wardship_lb" {
 235     name                       = "wardship-load-balancer"
 236     load_balancer_type         = "application"
 237     security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238     subnets                    = data.aws_subnets.shared-public.ids
 239     enable_deletion_protection = false
 240 [   internal                   = false
 241     depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:83
   via load_balancer.tf:78-84 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  83 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:75
   via load_balancer.tf:70-76 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  75 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:53-67
   via load_balancer.tf:49-68 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  53 ┌     cidr_blocks = [
  54"20.26.11.71/32",
  55"20.26.11.108/32",
  56"20.49.214.199/32",
  57"20.49.214.228/32",
  58"51.149.249.0/29",
  59"51.149.249.32/29",
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:27-45
   via load_balancer.tf:23-46 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  27 ┌     cidr_blocks = [
  28"194.33.193.0/25",
  29"179.50.12.212/32",
  30"93.56.171.15/32",
  31"52.67.148.55/32",
  32"194.33.197.0/25",
  33"213.121.161.124/32",
  ..   
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "wardship_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 rds.tf:53
   via rds.tf:48-54 (egress)
    via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
  26   resource "aws_security_group" "postgresql_db_sc" {
  ..   
  53 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  56   }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/wardship

Running Trivy in terraform/environments/wardship
2024-09-17T15:46:00Z INFO [db] Need to update DB
2024-09-17T15:46:00Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:46:02Z INFO [vuln] Vulnerability scanning is enabled
2024-09-17T15:46:02Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-17T15:46:02Z INFO Need to update the built-in policies
2024-09-17T15:46:02Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:46:03Z INFO [secret] Secret scanning is enabled
2024-09-17T15:46:03Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:46:03Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:46:03Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-17T15:46:03Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-17T15:46:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:46:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:46:04Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T15:46:04Z INFO Number of language-specific files num=0
2024-09-17T15:46:04Z INFO Detected config files num=7

ecs.tf (terraform)

Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:359-362
────────────────────────────────────────
359 ┌ resource "aws_ecr_repository" "wardship_ecr_repo" {
360 │ name = "wardship-ecr-repo"
361 │ force_delete = true
362 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:458-461
────────────────────────────────────────
458 ┌ resource "aws_sns_topic" "ddos_alarm" {
459 │ count = local.is-development ? 0 : 1
460 │ name = "wardship_ddos_alarm"
461 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:463-466
────────────────────────────────────────
463 ┌ resource "aws_sns_topic" "wardship_utilisation_alarm" {
464 │ count = local.is-development ? 0 : 1
465 │ name = "wardship_utilisation_alarm"
466 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:355
via ecs.tf:351-356 (egress)
via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
339 resource "aws_security_group" "ecs_service" {
...
355 [ cidr_blocks = ["0.0.0.0/0"]
...
357 }
────────────────────────────────────────

load_balancer.tf (terraform)

Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:234-242
────────────────────────────────────────
234 ┌ resource "aws_lb" "wardship_lb" {
235 │ name = "wardship-load-balancer"
236 │ load_balancer_type = "application"
237 │ security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 │ subnets = data.aws_subnets.shared-public.ids
239 │ enable_deletion_protection = false
240 │ internal = false
241 │ depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:240
via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
234 resource "aws_lb" "wardship_lb" {
235 name = "wardship-load-balancer"
236 load_balancer_type = "application"
237 security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 subnets = data.aws_subnets.shared-public.ids
239 enable_deletion_protection = false
240 [ internal = false
241 depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:83
via load_balancer.tf:78-84 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
83 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:75
via load_balancer.tf:70-76 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
75 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:53-67
via load_balancer.tf:49-68 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
53 ┌ cidr_blocks = [
54 │ "20.26.11.71/32",
55 │ "20.26.11.108/32",
56 │ "20.49.214.199/32",
57 │ "20.49.214.228/32",
58 │ "51.149.249.0/29",
59 └ "51.149.249.32/29",
..
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:27-45
via load_balancer.tf:23-46 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "194.33.193.0/25",
29 │ "179.50.12.212/32",
30 │ "93.56.171.15/32",
31 │ "52.67.148.55/32",
32 │ "194.33.197.0/25",
33 └ "213.121.161.124/32",
..
────────────────────────────────────────

rds.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "wardship_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
rds.tf:53
via rds.tf:48-54 (egress)
via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
26 resource "aws_security_group" "postgresql_db_sc" {
..
53 [ cidr_blocks = ["0.0.0.0/0"]
..
56 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/wardship

*****************************

Running Checkov in terraform/environments/wardship
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-17 15:46:07,048 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-09-17 15:46:07,048 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 53, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # bucket_versioning    = true
		12 |   # bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:486-494
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		486 | module "pagerduty_core_alerts_non_prod" {
		487 |   count = local.is-preproduction ? 1 : 0
		488 |   depends_on = [
		489 |     aws_sns_topic.wardship_utilisation_alarm
		490 |   ]
		491 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		492 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		493 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_non_prod_alarms"]
		494 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:497-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		497 | module "pagerduty_core_alerts_prod" {
		498 |   count = local.is-production ? 1 : 0
		499 |   depends_on = [
		500 |     aws_sns_topic.wardship_utilisation_alarm
		501 |   ]
		502 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		503 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		504 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
		505 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "wardship-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:339-357
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		339 | resource "aws_security_group" "ecs_service" {
		340 |   name_prefix = "ecs-service-sg-"
		341 |   vpc_id      = data.aws_vpc.shared.id
		342 | 
		343 |   ingress {
		344 |     from_port       = 80
		345 |     to_port         = 80
		346 |     protocol        = "tcp"
		347 |     description     = "Allow traffic on port 80 from load balancer"
		348 |     security_groups = [aws_security_group.wardship_lb_sc.id]
		349 |   }
		350 | 
		351 |   egress {
		352 |     from_port   = 0
		353 |     to_port     = 0
		354 |     protocol    = "-1"
		355 |     cidr_blocks = ["0.0.0.0/0"]
		356 |   }
		357 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:458-461
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		458 | resource "aws_sns_topic" "ddos_alarm" {
		459 |   count = local.is-development ? 0 : 1
		460 |   name  = "wardship_ddos_alarm"
		461 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.wardship_utilisation_alarm
	File: /ecs.tf:463-466
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		463 | resource "aws_sns_topic" "wardship_utilisation_alarm" {
		464 |   count = local.is-development ? 0 : 1
		465 |   name  = "wardship_utilisation_alarm"
		466 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.wardship_lb_sc
	File: /load_balancer.tf:1-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:87-158
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom_2
	File: /load_balancer.tf:160-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:244-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		244 | resource "aws_lb_target_group" "wardship_target_group" {
		245 |   name                 = "wardship-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/wardship

*****************************

Running tflint in terraform/environments/wardship
Excluding the following checks: terraform_unused_declarations
22 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 54:
  54:           value = "${aws_db_instance.wardship_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 62:
  62:           value = "${aws_db_instance.wardship_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 66:
  66:           value = "${aws_db_instance.wardship_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 70:
  70:           value = "${aws_db_instance.wardship_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 133:
 133:           value = "${aws_db_instance.wardship_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 141:
 141:           value = "${aws_db_instance.wardship_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 145:
 145:           value = "${aws_db_instance.wardship_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 149:
 149:           value = "${aws_db_instance.wardship_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/rds.tf line 120:
 120: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 137:
 137:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/secrets.tf line 18:
  18:   secret_string = jsonencode({ "WARDSHIP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/wardship

*****************************

Running Trivy in terraform/environments/wardship
2024-09-17T15:46:00Z	INFO	[db] Need to update DB
2024-09-17T15:46:00Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T15:46:02Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-17T15:46:02Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-17T15:46:02Z	INFO	Need to update the built-in policies
2024-09-17T15:46:02Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T15:46:03Z	INFO	[secret] Secret scanning is enabled
2024-09-17T15:46:03Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T15:46:03Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T15:46:03Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-17T15:46:03Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-17T15:46:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T15:46:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T15:46:04Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T15:46:04Z	INFO	Number of language-specific files	num=0
2024-09-17T15:46:04Z	INFO	Detected config files	num=7

ecs.tf (terraform)
==================
Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:359-362
────────────────────────────────────────
 359resource "aws_ecr_repository" "wardship_ecr_repo" {
 360name         = "wardship-ecr-repo"
 361force_delete = true
 362 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:458-461
────────────────────────────────────────
 458resource "aws_sns_topic" "ddos_alarm" {
 459count = local.is-development ? 0 : 1
 460name  = "wardship_ddos_alarm"
 461 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:463-466
────────────────────────────────────────
 463resource "aws_sns_topic" "wardship_utilisation_alarm" {
 464count = local.is-development ? 0 : 1
 465name  = "wardship_utilisation_alarm"
 466 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:355
   via ecs.tf:351-356 (egress)
    via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
 339   resource "aws_security_group" "ecs_service" {
 ...   
 355 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 357   }
────────────────────────────────────────



load_balancer.tf (terraform)
============================
Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:234-242
────────────────────────────────────────
 234resource "aws_lb" "wardship_lb" {
 235 │   name                       = "wardship-load-balancer"
 236 │   load_balancer_type         = "application"
 237 │   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238 │   subnets                    = data.aws_subnets.shared-public.ids
 239 │   enable_deletion_protection = false
 240 │   internal                   = false
 241 │   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:240
   via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
 234   resource "aws_lb" "wardship_lb" {
 235     name                       = "wardship-load-balancer"
 236     load_balancer_type         = "application"
 237     security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238     subnets                    = data.aws_subnets.shared-public.ids
 239     enable_deletion_protection = false
 240 [   internal                   = false
 241     depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:83
   via load_balancer.tf:78-84 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  83 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:75
   via load_balancer.tf:70-76 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  75 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:53-67
   via load_balancer.tf:49-68 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  53 ┌     cidr_blocks = [
  54"20.26.11.71/32",
  55"20.26.11.108/32",
  56"20.49.214.199/32",
  57"20.49.214.228/32",
  58"51.149.249.0/29",
  59"51.149.249.32/29",
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:27-45
   via load_balancer.tf:23-46 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  27 ┌     cidr_blocks = [
  28"194.33.193.0/25",
  29"179.50.12.212/32",
  30"93.56.171.15/32",
  31"52.67.148.55/32",
  32"194.33.197.0/25",
  33"213.121.161.124/32",
  ..   
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "wardship_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 rds.tf:53
   via rds.tf:48-54 (egress)
    via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
  26   resource "aws_security_group" "postgresql_db_sc" {
  ..   
  53 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  56   }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/wardship

Running Trivy in terraform/environments/wardship
2024-09-17T17:21:31Z INFO [db] Need to update DB
2024-09-17T17:21:31Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T17:21:33Z INFO [vuln] Vulnerability scanning is enabled
2024-09-17T17:21:33Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-17T17:21:33Z INFO Need to update the built-in policies
2024-09-17T17:21:33Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T17:21:33Z INFO [secret] Secret scanning is enabled
2024-09-17T17:21:33Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T17:21:33Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T17:21:34Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-17T17:21:34Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-17T17:21:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T17:21:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T17:21:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T17:21:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T17:21:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T17:21:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T17:21:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T17:21:35Z INFO Number of language-specific files num=0
2024-09-17T17:21:35Z INFO Detected config files num=7

ecs.tf (terraform)

Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:359-362
────────────────────────────────────────
359 ┌ resource "aws_ecr_repository" "wardship_ecr_repo" {
360 │ name = "wardship-ecr-repo"
361 │ force_delete = true
362 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:458-461
────────────────────────────────────────
458 ┌ resource "aws_sns_topic" "ddos_alarm" {
459 │ count = local.is-development ? 0 : 1
460 │ name = "wardship_ddos_alarm"
461 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:463-466
────────────────────────────────────────
463 ┌ resource "aws_sns_topic" "wardship_utilisation_alarm" {
464 │ count = local.is-development ? 0 : 1
465 │ name = "wardship_utilisation_alarm"
466 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:355
via ecs.tf:351-356 (egress)
via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
339 resource "aws_security_group" "ecs_service" {
...
355 [ cidr_blocks = ["0.0.0.0/0"]
...
357 }
────────────────────────────────────────

load_balancer.tf (terraform)

Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:234-242
────────────────────────────────────────
234 ┌ resource "aws_lb" "wardship_lb" {
235 │ name = "wardship-load-balancer"
236 │ load_balancer_type = "application"
237 │ security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 │ subnets = data.aws_subnets.shared-public.ids
239 │ enable_deletion_protection = false
240 │ internal = false
241 │ depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:240
via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
234 resource "aws_lb" "wardship_lb" {
235 name = "wardship-load-balancer"
236 load_balancer_type = "application"
237 security_groups = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
238 subnets = data.aws_subnets.shared-public.ids
239 enable_deletion_protection = false
240 [ internal = false
241 depends_on = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
242 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:83
via load_balancer.tf:78-84 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
83 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:75
via load_balancer.tf:70-76 (egress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
75 [ cidr_blocks = ["0.0.0.0/0"]
..
85 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:53-67
via load_balancer.tf:49-68 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
53 ┌ cidr_blocks = [
54 │ "20.26.11.71/32",
55 │ "20.26.11.108/32",
56 │ "20.49.214.199/32",
57 │ "20.49.214.228/32",
58 │ "51.149.249.0/29",
59 └ "51.149.249.32/29",
..
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:27-45
via load_balancer.tf:23-46 (ingress)
via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "wardship_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "194.33.193.0/25",
29 │ "179.50.12.212/32",
30 │ "93.56.171.15/32",
31 │ "52.67.148.55/32",
32 │ "194.33.197.0/25",
33 └ "213.121.161.124/32",
..
────────────────────────────────────────

rds.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "wardship_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
rds.tf:53
via rds.tf:48-54 (egress)
via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
26 resource "aws_security_group" "postgresql_db_sc" {
..
53 [ cidr_blocks = ["0.0.0.0/0"]
..
56 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/wardship

*****************************

Running Checkov in terraform/environments/wardship
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-17 17:21:37,720 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-09-17 17:21:37,720 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 53, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # bucket_versioning    = true
		12 |   # bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:486-494
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		486 | module "pagerduty_core_alerts_non_prod" {
		487 |   count = local.is-preproduction ? 1 : 0
		488 |   depends_on = [
		489 |     aws_sns_topic.wardship_utilisation_alarm
		490 |   ]
		491 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		492 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		493 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_non_prod_alarms"]
		494 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:497-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		497 | module "pagerduty_core_alerts_prod" {
		498 |   count = local.is-production ? 1 : 0
		499 |   depends_on = [
		500 |     aws_sns_topic.wardship_utilisation_alarm
		501 |   ]
		502 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		503 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		504 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
		505 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "wardship-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:339-357
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		339 | resource "aws_security_group" "ecs_service" {
		340 |   name_prefix = "ecs-service-sg-"
		341 |   vpc_id      = data.aws_vpc.shared.id
		342 | 
		343 |   ingress {
		344 |     from_port       = 80
		345 |     to_port         = 80
		346 |     protocol        = "tcp"
		347 |     description     = "Allow traffic on port 80 from load balancer"
		348 |     security_groups = [aws_security_group.wardship_lb_sc.id]
		349 |   }
		350 | 
		351 |   egress {
		352 |     from_port   = 0
		353 |     to_port     = 0
		354 |     protocol    = "-1"
		355 |     cidr_blocks = ["0.0.0.0/0"]
		356 |   }
		357 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:458-461
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		458 | resource "aws_sns_topic" "ddos_alarm" {
		459 |   count = local.is-development ? 0 : 1
		460 |   name  = "wardship_ddos_alarm"
		461 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.wardship_utilisation_alarm
	File: /ecs.tf:463-466
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		463 | resource "aws_sns_topic" "wardship_utilisation_alarm" {
		464 |   count = local.is-development ? 0 : 1
		465 |   name  = "wardship_utilisation_alarm"
		466 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.wardship_lb_sc
	File: /load_balancer.tf:1-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:87-158
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom_2
	File: /load_balancer.tf:160-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:244-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		244 | resource "aws_lb_target_group" "wardship_target_group" {
		245 |   name                 = "wardship-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/wardship

*****************************

Running tflint in terraform/environments/wardship
Excluding the following checks: terraform_unused_declarations
22 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 54:
  54:           value = "${aws_db_instance.wardship_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 62:
  62:           value = "${aws_db_instance.wardship_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 66:
  66:           value = "${aws_db_instance.wardship_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 70:
  70:           value = "${aws_db_instance.wardship_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 133:
 133:           value = "${aws_db_instance.wardship_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 141:
 141:           value = "${aws_db_instance.wardship_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 145:
 145:           value = "${aws_db_instance.wardship_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 149:
 149:           value = "${aws_db_instance.wardship_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/rds.tf line 120:
 120: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 137:
 137:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/secrets.tf line 18:
  18:   secret_string = jsonencode({ "WARDSHIP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/wardship

*****************************

Running Trivy in terraform/environments/wardship
2024-09-17T17:21:31Z	INFO	[db] Need to update DB
2024-09-17T17:21:31Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T17:21:33Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-17T17:21:33Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-17T17:21:33Z	INFO	Need to update the built-in policies
2024-09-17T17:21:33Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-17T17:21:33Z	INFO	[secret] Secret scanning is enabled
2024-09-17T17:21:33Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-17T17:21:33Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-17T17:21:34Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-17T17:21:34Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-17T17:21:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.cert_validation" value="cty.NilVal"
2024-09-17T17:21:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-17T17:21:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-17T17:21:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T17:21:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-17T17:21:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-17T17:21:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-17T17:21:35Z	INFO	Number of language-specific files	num=0
2024-09-17T17:21:35Z	INFO	Detected config files	num=7

ecs.tf (terraform)
==================
Tests: 14 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 7)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:359-362
────────────────────────────────────────
 359resource "aws_ecr_repository" "wardship_ecr_repo" {
 360name         = "wardship-ecr-repo"
 361force_delete = true
 362 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:458-461
────────────────────────────────────────
 458resource "aws_sns_topic" "ddos_alarm" {
 459count = local.is-development ? 0 : 1
 460name  = "wardship_ddos_alarm"
 461 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:463-466
────────────────────────────────────────
 463resource "aws_sns_topic" "wardship_utilisation_alarm" {
 464count = local.is-development ? 0 : 1
 465name  = "wardship_utilisation_alarm"
 466 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:355
   via ecs.tf:351-356 (egress)
    via ecs.tf:339-357 (aws_security_group.ecs_service)
────────────────────────────────────────
 339   resource "aws_security_group" "ecs_service" {
 ...   
 355 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 357   }
────────────────────────────────────────



load_balancer.tf (terraform)
============================
Tests: 12 (SUCCESSES: 6, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:234-242
────────────────────────────────────────
 234resource "aws_lb" "wardship_lb" {
 235 │   name                       = "wardship-load-balancer"
 236 │   load_balancer_type         = "application"
 237 │   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238 │   subnets                    = data.aws_subnets.shared-public.ids
 239 │   enable_deletion_protection = false
 240 │   internal                   = false
 241 │   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:240
   via load_balancer.tf:234-242 (aws_lb.wardship_lb)
────────────────────────────────────────
 234   resource "aws_lb" "wardship_lb" {
 235     name                       = "wardship-load-balancer"
 236     load_balancer_type         = "application"
 237     security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
 238     subnets                    = data.aws_subnets.shared-public.ids
 239     enable_deletion_protection = false
 240 [   internal                   = false
 241     depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
 242   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:83
   via load_balancer.tf:78-84 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  83 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:75
   via load_balancer.tf:70-76 (egress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  75 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  85   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:53-67
   via load_balancer.tf:49-68 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  53 ┌     cidr_blocks = [
  54"20.26.11.71/32",
  55"20.26.11.108/32",
  56"20.49.214.199/32",
  57"20.49.214.228/32",
  58"51.149.249.0/29",
  59"51.149.249.32/29",
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:27-45
   via load_balancer.tf:23-46 (ingress)
    via load_balancer.tf:1-85 (aws_security_group.wardship_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "wardship_lb_sc" {
   .   
  27 ┌     cidr_blocks = [
  28"194.33.193.0/25",
  29"179.50.12.212/32",
  30"93.56.171.15/32",
  31"52.67.148.55/32",
  32"194.33.197.0/25",
  33"213.121.161.124/32",
  ..   
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "wardship_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 rds.tf:53
   via rds.tf:48-54 (egress)
    via rds.tf:26-56 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
  26   resource "aws_security_group" "postgresql_db_sc" {
  ..   
  53 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  56   }
────────────────────────────────────────


trivy_exitcode=1

@mark-butler-solirius mark-butler-solirius merged commit 8fcaff6 into main Sep 20, 2024
13 of 14 checks passed
@mark-butler-solirius mark-butler-solirius deleted the RST-6879-refactor-certificate-creation branch September 20, 2024 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewsearle01 matthewsearle01 matthewsearle01 approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mark-butler-solirius @matthewsearle01