Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🥡 DataSync continued #8164

Merged
merged 22 commits into from
Oct 17, 2024
Merged

🥡 DataSync continued #8164

merged 22 commits into from
Oct 17, 2024

Conversation

jacobwoffenden
Copy link
Member

@jacobwoffenden jacobwoffenden commented Oct 10, 2024
edited
Loading

This pull request:

Signed-off-by: Jacob Woffenden [email protected]

hardcode instance IP
8cdf47e 
add script for returning ip address

Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden jacobwoffenden self-assigned this Oct 10, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 10, 2024
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 10, 2024 17:30 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T17:31:23Z INFO [vulndb] Need to update DB
2024-10-10T17:31:23Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T17:31:23Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T17:31:24Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 1.132756ms, allowed: 44000/minute\n\n"
2024-10-10T17:31:24Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 17:31:27,027 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,027 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,027 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,028 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,028 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,028 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,028 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,028 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,028 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,028 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,029 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,029 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:31:27,029 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 157, Failed checks: 0, Skipped checks: 58


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T17:31:23Z	INFO	[vulndb] Need to update DB
2024-10-10T17:31:23Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T17:31:23Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T17:31:24Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 1.132756ms, allowed: 44000/minute\n\n"
2024-10-10T17:31:24Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

add root block device tags
25ceee7 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 10, 2024 17:36 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T17:36:18Z INFO [vulndb] Need to update DB
2024-10-10T17:36:18Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T17:36:18Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T17:36:21Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T17:36:21Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T17:36:21Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T17:36:21Z INFO [misconfig] Need to update the built-in checks
2024-10-10T17:36:21Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T17:36:22Z INFO [secret] Secret scanning is enabled
2024-10-10T17:36:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T17:36:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T17:36:22Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T17:36:22Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T17:36:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T17:36:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:33Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T17:36:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T17:36:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T17:36:33Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T17:36:33Z INFO Number of language-specific files num=0
2024-10-10T17:36:33Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 17:36:36,782 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,782 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,782 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,783 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,783 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,783 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,783 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,783 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,783 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,784 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,784 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,784 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 17:36:36,784 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 157, Failed checks: 0, Skipped checks: 58


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T17:36:18Z	INFO	[vulndb] Need to update DB
2024-10-10T17:36:18Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T17:36:18Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T17:36:21Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T17:36:21Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T17:36:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T17:36:21Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T17:36:21Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T17:36:22Z	INFO	[secret] Secret scanning is enabled
2024-10-10T17:36:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T17:36:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T17:36:22Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T17:36:22Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T17:36:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T17:36:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T17:36:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T17:36:33Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T17:36:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T17:36:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T17:36:33Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T17:36:33Z	INFO	Number of language-specific files	num=0
2024-10-10T17:36:33Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

testing
92091e8 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T20:32:33Z INFO [vulndb] Need to update DB
2024-10-10T20:32:33Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T20:32:33Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:32:35Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:32:35Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T20:32:35Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T20:32:35Z INFO [misconfig] Need to update the built-in checks
2024-10-10T20:32:35Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T20:32:36Z INFO [secret] Secret scanning is enabled
2024-10-10T20:32:36Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T20:32:36Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T20:32:37Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T20:32:37Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T20:32:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T20:32:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T20:32:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:32:48Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T20:32:48Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T20:32:48Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:32:48Z INFO Number of language-specific files num=0
2024-10-10T20:32:48Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-27 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 20:32:51,489 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,490 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:32:51,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 159, Failed checks: 0, Skipped checks: 60


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T20:32:33Z	INFO	[vulndb] Need to update DB
2024-10-10T20:32:33Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T20:32:33Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:32:35Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:32:35Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T20:32:35Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T20:32:35Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T20:32:35Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T20:32:36Z	INFO	[secret] Secret scanning is enabled
2024-10-10T20:32:36Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T20:32:36Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T20:32:37Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T20:32:37Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T20:32:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T20:32:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T20:32:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:32:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:32:48Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T20:32:48Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T20:32:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:32:48Z	INFO	Number of language-specific files	num=0
2024-10-10T20:32:48Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-27 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

fix
05b47ab 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T20:35:32Z INFO [vulndb] Need to update DB
2024-10-10T20:35:32Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T20:35:32Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:35:34Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:35:34Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T20:35:34Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T20:35:34Z INFO [misconfig] Need to update the built-in checks
2024-10-10T20:35:34Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T20:35:35Z INFO [secret] Secret scanning is enabled
2024-10-10T20:35:35Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T20:35:35Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T20:35:36Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T20:35:36Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T20:35:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T20:35:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T20:35:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:42Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T20:35:42Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T20:35:42Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:35:42Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:35:42Z INFO Number of language-specific files num=0
2024-10-10T20:35:42Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-27 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 20:35:44,604 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,605 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:35:44,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 159, Failed checks: 0, Skipped checks: 60


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T20:35:32Z	INFO	[vulndb] Need to update DB
2024-10-10T20:35:32Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T20:35:32Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:35:34Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:35:34Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T20:35:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T20:35:34Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T20:35:34Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T20:35:35Z	INFO	[secret] Secret scanning is enabled
2024-10-10T20:35:35Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T20:35:35Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T20:35:36Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T20:35:36Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T20:35:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T20:35:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T20:35:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:35:42Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T20:35:42Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T20:35:42Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:35:42Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:35:42Z	INFO	Number of language-specific files	num=0
2024-10-10T20:35:42Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-27 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 10, 2024 20:35 — with GitHub Actions Inactive
Jacob Woffenden added 2 commits October 10, 2024 20:49
add listener
b50ba35 
Signed-off-by: Jacob Woffenden <[email protected]>
add listener
e7bc1bf 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T20:50:45Z INFO [vulndb] Need to update DB
2024-10-10T20:50:45Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T20:50:45Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:50:47Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:50:47Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T20:50:47Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T20:50:47Z INFO [misconfig] Need to update the built-in checks
2024-10-10T20:50:47Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-10T20:50:48Z INFO [secret] Secret scanning is enabled
2024-10-10T20:50:48Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T20:50:48Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T20:50:49Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T20:50:49Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T20:50:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T20:50:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:57Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:50:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T20:50:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T20:50:57Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:50:57Z INFO Number of language-specific files num=0
2024-10-10T20:50:57Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 20:50:59,743 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,743 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,744 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,744 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,744 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,744 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,744 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,744 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,745 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,745 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,745 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,745 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,745 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 20:50:59,745 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 159, Failed checks: 0, Skipped checks: 60


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T20:50:45Z	INFO	[vulndb] Need to update DB
2024-10-10T20:50:45Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T20:50:45Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:50:47Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T20:50:47Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T20:50:47Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T20:50:47Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T20:50:47Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-10T20:50:48Z	INFO	[secret] Secret scanning is enabled
2024-10-10T20:50:48Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T20:50:48Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T20:50:49Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T20:50:49Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T20:50:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T20:50:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T20:50:57Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:50:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T20:50:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T20:50:57Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T20:50:57Z	INFO	Number of language-specific files	num=0
2024-10-10T20:50:57Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 10, 2024 20:51 — with GitHub Actions Inactive
test
e8bf027 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T21:11:32Z INFO [vulndb] Need to update DB
2024-10-10T21:11:32Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T21:11:32Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:11:34Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:11:34Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T21:11:34Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T21:11:34Z INFO [misconfig] Need to update the built-in checks
2024-10-10T21:11:34Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-10T21:11:34Z INFO [secret] Secret scanning is enabled
2024-10-10T21:11:34Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T21:11:34Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T21:11:35Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T21:11:35Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T21:11:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T21:11:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:41Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:11:41Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T21:11:41Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T21:11:41Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:11:41Z INFO Number of language-specific files num=0
2024-10-10T21:11:41Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 21:11:43,640 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,640 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,640 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,642 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,642 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:11:43,642 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 159, Failed checks: 0, Skipped checks: 60


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T21:11:32Z	INFO	[vulndb] Need to update DB
2024-10-10T21:11:32Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T21:11:32Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:11:34Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:11:34Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T21:11:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T21:11:34Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T21:11:34Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-10T21:11:34Z	INFO	[secret] Secret scanning is enabled
2024-10-10T21:11:34Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T21:11:34Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T21:11:35Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T21:11:35Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T21:11:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T21:11:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:11:41Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:11:41Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T21:11:41Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T21:11:41Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:11:41Z	INFO	Number of language-specific files	num=0
2024-10-10T21:11:41Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 10, 2024 21:12 — with GitHub Actions Failure
update subnet mapping
a2188f4 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 10, 2024 21:29 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T21:29:18Z INFO [vulndb] Need to update DB
2024-10-10T21:29:18Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T21:29:18Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:29:20Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:29:20Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T21:29:20Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T21:29:20Z INFO [misconfig] Need to update the built-in checks
2024-10-10T21:29:20Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T21:29:20Z INFO [secret] Secret scanning is enabled
2024-10-10T21:29:20Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T21:29:20Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T21:29:21Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T21:29:21Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T21:29:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T21:29:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:29Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:29:29Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T21:29:29Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T21:29:29Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:29:29Z INFO Number of language-specific files num=0
2024-10-10T21:29:29Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 21:29:32,557 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,557 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,557 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,557 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,558 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,558 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,558 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,558 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,558 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,558 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,559 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,559 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,559 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 21:29:32,559 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 159, Failed checks: 0, Skipped checks: 60


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T21:29:18Z	INFO	[vulndb] Need to update DB
2024-10-10T21:29:18Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T21:29:18Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:29:20Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T21:29:20Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T21:29:20Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T21:29:20Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T21:29:20Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T21:29:20Z	INFO	[secret] Secret scanning is enabled
2024-10-10T21:29:20Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T21:29:20Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T21:29:21Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T21:29:21Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T21:29:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T21:29:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T21:29:29Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:29:29Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T21:29:29Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T21:29:29Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T21:29:29Z	INFO	Number of language-specific files	num=0
2024-10-10T21:29:29Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 10, 2024 21:32 — with GitHub Actions Failure
update sg
9c436d5 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T22:10:14Z INFO [vulndb] Need to update DB
2024-10-10T22:10:14Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T22:10:14Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:10:16Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:10:16Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T22:10:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T22:10:16Z INFO [misconfig] Need to update the built-in checks
2024-10-10T22:10:16Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T22:10:16Z INFO [secret] Secret scanning is enabled
2024-10-10T22:10:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T22:10:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T22:10:17Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T22:10:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T22:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T22:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:23Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:10:23Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T22:10:23Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T22:10:23Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:10:23Z INFO Number of language-specific files num=0
2024-10-10T22:10:23Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 22:10:25,831 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,831 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,832 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,832 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,832 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,832 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,832 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,832 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,833 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,833 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,833 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,833 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,833 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:10:25,833 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 159, Failed checks: 0, Skipped checks: 60


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T22:10:14Z	INFO	[vulndb] Need to update DB
2024-10-10T22:10:14Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T22:10:14Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:10:16Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:10:16Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T22:10:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T22:10:16Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T22:10:16Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-10T22:10:16Z	INFO	[secret] Secret scanning is enabled
2024-10-10T22:10:16Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T22:10:16Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T22:10:17Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T22:10:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T22:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T22:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:10:23Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:10:23Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T22:10:23Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T22:10:23Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:10:23Z	INFO	Number of language-specific files	num=0
2024-10-10T22:10:23Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 10, 2024 22:10 — with GitHub Actions Inactive
add agent
5415a13 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 10, 2024 22:16 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T22:15:51Z INFO [vulndb] Need to update DB
2024-10-10T22:15:51Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T22:15:51Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:15:53Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:15:53Z INFO [vuln] Vulnerability scanning is enabled
2024-10-10T22:15:53Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-10T22:15:53Z INFO [misconfig] Need to update the built-in checks
2024-10-10T22:15:53Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-10T22:15:53Z INFO [secret] Secret scanning is enabled
2024-10-10T22:15:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T22:15:53Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T22:15:54Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-10T22:15:54Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-10T22:15:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-10T22:15:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:05Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:16:05Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:16:05Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T22:16:05Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T22:16:05Z INFO Number of language-specific files num=0
2024-10-10T22:16:05Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 22:16:08,085 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,085 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,086 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,086 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,086 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,086 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,086 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,086 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,087 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,087 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,087 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,087 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,087 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-10 22:16:08,087 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 159, Failed checks: 0, Skipped checks: 60


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-10T22:15:51Z	INFO	[vulndb] Need to update DB
2024-10-10T22:15:51Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T22:15:51Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:15:53Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T22:15:53Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-10T22:15:53Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-10T22:15:53Z	INFO	[misconfig] Need to update the built-in checks
2024-10-10T22:15:53Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-10T22:15:53Z	INFO	[secret] Secret scanning is enabled
2024-10-10T22:15:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-10T22:15:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-10T22:15:54Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-10T22:15:54Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-10T22:15:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-10T22:15:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-10T22:16:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_transferred_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-10T22:16:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.processed_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.quarantine_bucket.dynamic.rule" value="cty.NilVal"
2024-10-10T22:16:05Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:16:05Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-10T22:16:05Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-10T22:16:05Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-10T22:16:05Z	INFO	Number of language-specific files	num=0
2024-10-10T22:16:05Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:309-370 (module.notify_transferred_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

add ssh
011f586 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T16:55:40Z INFO [vulndb] Need to update DB
2024-10-16T16:55:40Z INFO [vulndb] Downloading vulnerability DB...
2024-10-16T16:55:40Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T16:55:40Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 585.466µs, allowed: 44000/minute\n\n"
2024-10-16T16:55:40Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-16 16:55:42,604 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,604 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,604 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,604 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,605 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 16:55:42,606 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 164, Failed checks: 0, Skipped checks: 64


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T16:55:40Z	INFO	[vulndb] Need to update DB
2024-10-16T16:55:40Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-16T16:55:40Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T16:55:40Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 585.466µs, allowed: 44000/minute\n\n"
2024-10-16T16:55:40Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 16, 2024 16:55 — with GitHub Actions Inactive
update nlb listener
b2230c9 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:03:39Z INFO [vulndb] Need to update DB
2024-10-16T17:03:39Z INFO [vulndb] Downloading vulnerability DB...
2024-10-16T17:03:39Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:03:40Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:2ea6fd2ba7b1b63c15bc8b71e78dcb6feb7719f911fe96ae0c6610a10ed11bdc: TOOMANYREQUESTS: retry-after: 165.7µs, allowed: 44000/minute"
2024-10-16T17:03:40Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-16 17:03:42,943 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,943 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,943 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,943 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,943 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,944 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,944 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,944 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,944 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,944 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,944 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,945 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,945 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:03:42,945 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 164, Failed checks: 0, Skipped checks: 64


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:03:39Z	INFO	[vulndb] Need to update DB
2024-10-16T17:03:39Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-16T17:03:39Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:03:40Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:2ea6fd2ba7b1b63c15bc8b71e78dcb6feb7719f911fe96ae0c6610a10ed11bdc: TOOMANYREQUESTS: retry-after: 165.7µs, allowed: 44000/minute"
2024-10-16T17:03:40Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 16, 2024 17:03 — with GitHub Actions Inactive
ewastempel
ewastempel previously approved these changes Oct 16, 2024
View reviewed changes
Copy link
Contributor

@ewastempel ewastempel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but be aware that the providers may be overwritten at some point.

Jacob Woffenden added 2 commits October 16, 2024 17:36
please work
f5f6641 
Signed-off-by: Jacob Woffenden <[email protected]>
lol
0fa1c1d 
Signed-off-by: Jacob Woffenden <[email protected]>
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 16, 2024 17:39 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:39:12Z INFO [vulndb] Need to update DB
2024-10-16T17:39:12Z INFO [vulndb] Downloading vulnerability DB...
2024-10-16T17:39:12Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:39:14Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:39:14Z INFO [vuln] Vulnerability scanning is enabled
2024-10-16T17:39:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-16T17:39:14Z INFO [misconfig] Need to update the built-in checks
2024-10-16T17:39:14Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-16T17:39:15Z INFO [secret] Secret scanning is enabled
2024-10-16T17:39:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T17:39:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T17:39:16Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-16T17:39:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-16T17:39:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-16T17:39:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:29Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-16T17:39:29Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-16T17:39:29Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:39:29Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:39:29Z INFO Number of language-specific files num=0
2024-10-16T17:39:29Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-52 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-16 17:39:32,049 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,049 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,049 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,049 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,049 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,049 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:39:32,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 164, Failed checks: 0, Skipped checks: 64


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:39:12Z	INFO	[vulndb] Need to update DB
2024-10-16T17:39:12Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-16T17:39:12Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:39:14Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:39:14Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-16T17:39:14Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-16T17:39:14Z	INFO	[misconfig] Need to update the built-in checks
2024-10-16T17:39:14Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-16T17:39:15Z	INFO	[secret] Secret scanning is enabled
2024-10-16T17:39:15Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T17:39:15Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T17:39:16Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-16T17:39:16Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-16T17:39:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-16T17:39:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:39:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:39:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:39:29Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-16T17:39:29Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-16T17:39:29Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:39:29Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:39:29Z	INFO	Number of language-specific files	num=0
2024-10-16T17:39:29Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-52 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

ok a list ok
aec42ae 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:43:07Z INFO [vulndb] Need to update DB
2024-10-16T17:43:07Z INFO [vulndb] Downloading vulnerability DB...
2024-10-16T17:43:07Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:43:09Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:43:09Z INFO [vuln] Vulnerability scanning is enabled
2024-10-16T17:43:09Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-16T17:43:09Z INFO [misconfig] Need to update the built-in checks
2024-10-16T17:43:09Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-16T17:43:09Z INFO [secret] Secret scanning is enabled
2024-10-16T17:43:09Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T17:43:09Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T17:43:10Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-16T17:43:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-16T17:43:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-16T17:43:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-16T17:43:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:16Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-16T17:43:16Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-16T17:43:16Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:43:16Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:43:16Z INFO Number of language-specific files num=0
2024-10-16T17:43:16Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-52 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-16 17:43:19,148 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,149 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,149 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,149 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,149 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,149 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,149 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,150 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,150 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,150 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,150 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,150 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,150 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 17:43:19,150 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 164, Failed checks: 0, Skipped checks: 64


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:43:07Z	INFO	[vulndb] Need to update DB
2024-10-16T17:43:07Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-16T17:43:07Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:43:09Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:43:09Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-16T17:43:09Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-16T17:43:09Z	INFO	[misconfig] Need to update the built-in checks
2024-10-16T17:43:09Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-16T17:43:09Z	INFO	[secret] Secret scanning is enabled
2024-10-16T17:43:09Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T17:43:09Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T17:43:10Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-16T17:43:10Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-16T17:43:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-16T17:43:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-16T17:43:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:43:16Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-16T17:43:16Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-16T17:43:16Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:43:16Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T17:43:16Z	INFO	Number of language-specific files	num=0
2024-10-16T17:43:16Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-52 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 16, 2024 17:43 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-ingestion-development October 16, 2024 17:52 — with GitHub Actions Failure
remove SSH
f0a576f 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:59:52Z INFO [vulndb] Need to update DB
2024-10-16T17:59:52Z INFO [vulndb] Downloading vulnerability DB...
2024-10-16T17:59:52Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:59:55Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:59:55Z INFO [vuln] Vulnerability scanning is enabled
2024-10-16T17:59:55Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-16T17:59:55Z INFO [misconfig] Need to update the built-in checks
2024-10-16T17:59:55Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-16T17:59:55Z INFO [secret] Secret scanning is enabled
2024-10-16T17:59:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T17:59:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T17:59:56Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-16T17:59:56Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-16T17:59:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-16T17:59:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-16T17:59:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:59:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:01Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T18:00:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T18:00:01Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-16T18:00:01Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-16T18:00:01Z INFO Number of language-specific files num=0
2024-10-16T18:00:01Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-16 18:00:04,255 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,255 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,255 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,255 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,256 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,256 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,256 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,256 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,256 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,256 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,256 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,257 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,257 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-16 18:00:04,257 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 164, Failed checks: 0, Skipped checks: 64


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-16T17:59:52Z	INFO	[vulndb] Need to update DB
2024-10-16T17:59:52Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-16T17:59:52Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:59:55Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T17:59:55Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-16T17:59:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-16T17:59:55Z	INFO	[misconfig] Need to update the built-in checks
2024-10-16T17:59:55Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-16T17:59:55Z	INFO	[secret] Secret scanning is enabled
2024-10-16T17:59:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T17:59:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T17:59:56Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-16T17:59:56Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-16T17:59:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-16T17:59:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-16T17:59:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T17:59:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-16T18:00:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T18:00:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-16T18:00:01Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-16T18:00:01Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-16T18:00:01Z	INFO	Number of language-specific files	num=0
2024-10-16T18:00:01Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 16, 2024 18:00 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden marked this pull request as ready for review October 17, 2024 07:22
@jacobwoffenden jacobwoffenden requested review from a team as code owners October 17, 2024 07:22
remove secret and kms key
ed638d5 
Signed-off-by: Jacob Woffenden <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-17T07:29:35Z INFO [vulndb] Need to update DB
2024-10-17T07:29:35Z INFO [vulndb] Downloading vulnerability DB...
2024-10-17T07:29:35Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-17T07:29:37Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-17T07:29:37Z INFO [vuln] Vulnerability scanning is enabled
2024-10-17T07:29:37Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-17T07:29:37Z INFO [misconfig] Need to update the built-in checks
2024-10-17T07:29:37Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-17T07:29:38Z INFO [secret] Secret scanning is enabled
2024-10-17T07:29:38Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-17T07:29:38Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-17T07:29:39Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-17T07:29:39Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-17T07:29:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-10-17T07:29:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:44Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-17T07:29:44Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-17T07:29:44Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-17T07:29:44Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-17T07:29:44Z INFO Number of language-specific files num=0
2024-10-17T07:29:44Z INFO Detected config files num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 resource "aws_lb" "this" {
..
47 [ internal = var.internal
..
81 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

terraform-aws-modules/lambda/aws/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:306
via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
297 resource "aws_lambda_permission" "unqualified_alias_triggers" {
...
306 [ source_arn = try(each.value.source_arn, null)
...
313 }
────────────────────────────────────────

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permission – even if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
terraform-aws-modules/lambda/aws/main.tf:287
via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
277 resource "aws_lambda_permission" "current_version_triggers" {
...
287 [ source_arn = try(each.value.source_arn, null)
...
294 }
────────────────────────────────────────

terraform-aws-modules/vpc/aws/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:340
via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:323
via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:221
via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
terraform-aws-modules/vpc/aws/main.tf:204
via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-17 07:29:46,772 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,772 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,772 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,772 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,772 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,773 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,773 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,773 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,773 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,773 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,773 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,774 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,774 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-10-17 07:29:46,774 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 162, Failed checks: 0, Skipped checks: 62


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-10-17T07:29:35Z	INFO	[vulndb] Need to update DB
2024-10-17T07:29:35Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-17T07:29:35Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-17T07:29:37Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-17T07:29:37Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-17T07:29:37Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-17T07:29:37Z	INFO	[misconfig] Need to update the built-in checks
2024-10-17T07:29:37Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-17T07:29:38Z	INFO	[secret] Secret scanning is enabled
2024-10-17T07:29:38Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-17T07:29:38Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-17T07:29:39Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-17T07:29:39Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-17T07:29:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-10-17T07:29:39Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definitions_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.landing_bucket.dynamic.rule" value="cty.NilVal"
2024-10-17T07:29:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.vpc_config" value="cty.NilVal"
2024-10-17T07:29:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.notify_quarantined_lambda.dynamic.logging_config" value="cty.NilVal"
2024-10-17T07:29:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-17T07:29:44Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-10-17T07:29:44Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-10-17T07:29:44Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-10-17T07:29:44Z	INFO	Number of language-specific files	num=0
2024-10-17T07:29:44Z	INFO	Detected config files	num=14

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47
   via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0])
    via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12   resource "aws_lb" "this" {
  ..   
  47 [   internal                                                     = var.internal
  ..   
  81   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-19 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────



terraform-aws-modules/lambda/aws/main.tf (terraform)
====================================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:306
   via terraform-aws-modules/lambda/aws/main.tf:297-313 (aws_lambda_permission.unqualified_alias_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 297   resource "aws_lambda_permission" "unqualified_alias_triggers" {
 ...   
 306 [   source_arn          = try(each.value.source_arn, null)
 ...   
 313   }
────────────────────────────────────────


CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
Without this, any resource from principal will be granted permissioneven if that resource is from another account.
For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API


See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 terraform-aws-modules/lambda/aws/main.tf:287
   via terraform-aws-modules/lambda/aws/main.tf:277-294 (aws_lambda_permission.current_version_triggers["sns"])
    via lambda-functions.tf:243-307 (module.notify_quarantined_lambda)
────────────────────────────────────────
 277   resource "aws_lambda_permission" "current_version_triggers" {
 ...   
 287 [   source_arn          = try(each.value.source_arn, null)
 ...   
 294   }
────────────────────────────────────────



terraform-aws-modules/vpc/aws/main.tf (terraform)
=================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 0, CRITICAL: 4)

CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:340
   via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:323
   via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:221
   via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


CRITICAL: Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/avd-aws-0102
────────────────────────────────────────
 terraform-aws-modules/vpc/aws/main.tf:204
   via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:21-42 (module.isolated_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-ingestion-development October 17, 2024 07:29 — with GitHub Actions Inactive
Gary-H9
Gary-H9 approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@Gary-H9 Gary-H9 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

dms1981
dms1981 approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@dms1981 dms1981 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jacobwoffenden jacobwoffenden merged commit 15ca99d into main Oct 17, 2024
11 of 12 checks passed
@jacobwoffenden jacobwoffenden deleted the feat/ap-ingestion-datasync-nlb branch October 17, 2024 08:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gary-H9 Gary-H9 Gary-H9 approved these changes

@dms1981 dms1981 dms1981 approved these changes

@modernisation-platform-ci modernisation-platform-ci modernisation-platform-ci left review comments

@ewastempel ewastempel ewastempel left review comments

@ASTRobinson ASTRobinson ASTRobinson left review comments

Assignees

@jacobwoffenden jacobwoffenden

Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jacobwoffenden @modernisation-platform-ci @dms1981 @Gary-H9 @ASTRobinson @ewastempel