Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/wardship #8214

dependabot · 2024-10-14T01:00:03Z

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

A lot of dependabot version bumps

Feature/trivy by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413

updated README.md and unit test name by @Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

add tfsec exception to fix static-analysis check failure by @robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Adds the redact of sensitive data items from test workflow output. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465

Fixes unredacted data values in workflow log. by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473

Update main.tf by @ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#474

issue/7689 by @mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#544

Bump Go versions by @ASTRobinson in ministryofjustice/modernisation-platform-terraform-bastion-linux#551

Updated template to use dynamic resolution of SSM parameter store value by @dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#563

New Contributors

@Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#415

@Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#436

@robertsweetman made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits

440a828 Merge pull request #563 from ministryofjustice/feature/1385-resolve-parameter...
9b1804b terraform-docs: automated action
7acb479 updated template to use dynamic resolution of SSM parameter store value
72b6469 Merge pull request #562 from ministryofjustice/dependabot/github_actions/mini...
2cab62f Bump ministryofjustice/github-actions from 18.2.0 to 18.2.1
de00773 Merge pull request #561 from ministryofjustice/dependabot/github_actions/acti...
226a136 Bump actions/upload-artifact from 4.4.2 to 4.4.3
69ed718 Merge pull request #560 from ministryofjustice/dependabot/github_actions/aqua...
32650dd Merge pull request #558 from ministryofjustice/dependabot/github_actions/acti...
55feca3 Merge pull request #559 from ministryofjustice/dependabot/github_actions/acti...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.3.0. - [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases) - [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0) --- updated-dependencies: - dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-10-14T01:01:24Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/wardship

Running Trivy in terraform/environments/wardship
2024-10-14T01:01:19Z INFO [vulndb] Need to update DB
2024-10-14T01:01:19Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T01:01:19Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T01:01:19Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 41.097µs, allowed: 44000/minute\n\n"
2024-10-14T01:01:19Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/wardship

*****************************

Running Checkov in terraform/environments/wardship
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-14 01:01:21,878 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 01:01:21,878 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 54, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # bucket_versioning    = true
		12 |   # bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "wardship-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:265-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		265 | resource "aws_iam_role_policy" "app_execution" {
		266 |   name = "execution-${var.networking[0].application}"
		267 |   role = aws_iam_role.app_execution.id
		268 | 
		269 |   policy = <<-EOF
		270 |   {
		271 |     "Version": "2012-10-17",
		272 |     "Statement": [
		273 |       {
		274 |            "Action": [
		275 |               "ecr:*",
		276 |               "logs:CreateLogStream",
		277 |               "logs:PutLogEvents",
		278 |               "secretsmanager:GetSecretValue"
		279 |            ],
		280 |            "Resource": "*",
		281 |            "Effect": "Allow"
		282 |       }
		283 |     ]
		284 |   }
		285 |   EOF
		286 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:339-357
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		339 | resource "aws_security_group" "ecs_service" {
		340 |   name_prefix = "ecs-service-sg-"
		341 |   vpc_id      = data.aws_vpc.shared.id
		342 | 
		343 |   ingress {
		344 |     from_port       = 80
		345 |     to_port         = 80
		346 |     protocol        = "tcp"
		347 |     description     = "Allow traffic on port 80 from load balancer"
		348 |     security_groups = [aws_security_group.wardship_lb_sc.id]
		349 |   }
		350 | 
		351 |   egress {
		352 |     from_port   = 0
		353 |     to_port     = 0
		354 |     protocol    = "-1"
		355 |     cidr_blocks = ["0.0.0.0/0"]
		356 |   }
		357 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.wardship_ecr_repo
	File: /ecs.tf:359-362
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		359 | resource "aws_ecr_repository" "wardship_ecr_repo" {
		360 |   name         = "wardship-ecr-repo"
		361 |   force_delete = true
		362 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:458-461
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		458 | resource "aws_sns_topic" "ddos_alarm" {
		459 |   count = local.is-development ? 0 : 1
		460 |   name  = "wardship_ddos_alarm"
		461 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.wardship_utilisation_alarm
	File: /ecs.tf:463-466
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		463 | resource "aws_sns_topic" "wardship_utilisation_alarm" {
		464 |   count = local.is-development ? 0 : 1
		465 |   name  = "wardship_utilisation_alarm"
		466 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:486-494
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		486 | module "pagerduty_core_alerts_non_prod" {
		487 |   count = local.is-preproduction ? 1 : 0
		488 |   depends_on = [
		489 |     aws_sns_topic.wardship_utilisation_alarm
		490 |   ]
		491 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		492 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		493 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_non_prod_alarms"]
		494 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:497-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		497 | module "pagerduty_core_alerts_prod" {
		498 |   count = local.is-production ? 1 : 0
		499 |   depends_on = [
		500 |     aws_sns_topic.wardship_utilisation_alarm
		501 |   ]
		502 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		503 |   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
		504 |   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
		505 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.wardship_lb_sc
	File: /load_balancer.tf:1-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:87-158
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom_2
	File: /load_balancer.tf:160-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.wardship_lb
	File: /load_balancer.tf:234-242
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		234 | resource "aws_lb" "wardship_lb" {
		235 |   name                       = "wardship-load-balancer"
		236 |   load_balancer_type         = "application"
		237 |   security_groups            = [aws_security_group.wardship_lb_sc.id, aws_security_group.lb_sc_pingdom.id, aws_security_group.lb_sc_pingdom_2.id]
		238 |   subnets                    = data.aws_subnets.shared-public.ids
		239 |   enable_deletion_protection = false
		240 |   internal                   = false
		241 |   depends_on                 = [aws_security_group.wardship_lb_sc, aws_security_group.lb_sc_pingdom, aws_security_group.lb_sc_pingdom_2]
		242 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:244-266

		244 | resource "aws_lb_target_group" "wardship_target_group" {
		245 |   name                 = "wardship-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.wardship_target_group
	File: /load_balancer.tf:244-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		244 | resource "aws_lb_target_group" "wardship_target_group" {
		245 |   name                 = "wardship-target-group"
		246 |   port                 = 80
		247 |   protocol             = "HTTP"
		248 |   vpc_id               = data.aws_vpc.shared.id
		249 |   target_type          = "ip"
		250 |   deregistration_delay = 30
		251 | 
		252 |   stickiness {
		253 |     type = "lb_cookie"
		254 |   }
		255 | 
		256 |   health_check {
		257 |     healthy_threshold   = "3"
		258 |     interval            = "30"
		259 |     protocol            = "HTTP"
		260 |     port                = "80"
		261 |     unhealthy_threshold = "5"
		262 |     matcher             = "200-302"
		263 |     timeout             = "10"
		264 |   }
		265 | 
		266 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.wardship_web_acl
	File: /waf.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "wardship_web_acl" {
		2  |   name  = "wardship-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |       }
		22 |     }
		23 | 
		24 |     visibility_config {
		25 |       cloudwatch_metrics_enabled = true
		26 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		27 |       sampled_requests_enabled   = true
		28 |     }
		29 |   }
		30 | 
		31 |   visibility_config {
		32 |     cloudwatch_metrics_enabled = true
		33 |     metric_name                = "wardship-web-acl"
		34 |     sampled_requests_enabled   = true
		35 |   }
		36 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "wardship_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.wardship_db_dev
	File: /rds.tf:59-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		59 | resource "aws_db_instance" "wardship_db_dev" {
		60 |   count                       = local.is-development ? 1 : 0
		61 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		62 |   db_name                     = local.application_data.accounts[local.environment].db_name
		63 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		64 |   engine                      = local.application_data.accounts[local.environment].engine
		65 |   identifier                  = local.application_data.accounts[local.environment].identifier
		66 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		67 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		68 |   username                    = local.application_data.accounts[local.environment].db_username
		69 |   password                    = random_password.password.result
		70 |   skip_final_snapshot         = true
		71 |   publicly_accessible         = true
		72 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		73 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		74 |   allow_major_version_upgrade = true
		75 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.wardship_lb
	File: /load_balancer.tf:268-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		268 | resource "aws_lb_listener" "wardship_lb" {
		269 |   depends_on = [
		270 |     aws_acm_certificate.external
		271 |   ]
		272 |   certificate_arn   = aws_acm_certificate.external.arn
		273 |   load_balancer_arn = aws_lb.wardship_lb.arn
		274 |   port              = local.application_data.accounts[local.environment].server_port_2
		275 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		276 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		277 | 
		278 |   default_action {
		279 |     type             = "forward"
		280 |     target_group_arn = aws_lb_target_group.wardship_target_group.arn
		281 |   }
		282 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:315-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		315 | resource "aws_iam_role_policy" "app_task" {
		316 |   name = "task-${var.networking[0].application}"
		317 |   role = aws_iam_role.app_task.id
		318 | 
		319 |   policy = <<-EOF
		320 |   {
		321 |    "Version": "2012-10-17",
		322 |    "Statement": [
		323 |      {
		324 |        "Effect": "Allow",
		325 |         "Action": [
		326 |           "logs:CreateLogStream",
		327 |           "logs:PutLogEvents",
		328 |           "ecr:*",
		329 |           "iam:*",
		330 |           "ec2:*"
		331 |         ],
		332 |        "Resource": "*"
		333 |      }
		334 |    ]
		335 |   }
		336 |   EOF
		337 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/wardship

*****************************

Running tflint in terraform/environments/wardship
Excluding the following checks: terraform_unused_declarations
22 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 54:
  54:           value = "${aws_db_instance.wardship_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 62:
  62:           value = "${aws_db_instance.wardship_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 66:
  66:           value = "${aws_db_instance.wardship_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 70:
  70:           value = "${aws_db_instance.wardship_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 133:
 133:           value = "${aws_db_instance.wardship_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 141:
 141:           value = "${aws_db_instance.wardship_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 145:
 145:           value = "${aws_db_instance.wardship_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 149:
 149:           value = "${aws_db_instance.wardship_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/rds.tf line 120:
 120: resource "null_resource" "setup_dev_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/rds.tf line 137:
 137:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/wardship/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/wardship/secrets.tf line 18:
  18:   secret_string = jsonencode({ "WARDSHIP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/wardship

*****************************

Running Trivy in terraform/environments/wardship
2024-10-14T01:01:19Z	INFO	[vulndb] Need to update DB
2024-10-14T01:01:19Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-14T01:01:19Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T01:01:19Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 41.097µs, allowed: 44000/minute\n\n"
2024-10-14T01:01:19Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

dependabot · 2024-10-15T01:01:31Z

Superseded by #8245.

dependabot bot requested a review from a team as a code owner October 14, 2024 01:00

dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Oct 14, 2024

dependabot bot requested a review from a team as a code owner October 14, 2024 01:00

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 14, 2024

dependabot bot closed this Oct 15, 2024

dependabot bot deleted the dependabot/terraform/terraform/environments/wardship/bastion_linux--github--ministryofjustice/modernisation-platform-terraform-bastion-linux--v4.2.1-4.3.0 branch October 15, 2024 01:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/wardship #8214

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/wardship #8214

dependabot bot commented on behalf of github Oct 14, 2024

github-actions bot commented Oct 14, 2024

dependabot bot commented on behalf of github Oct 15, 2024

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/wardship #8214

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.0 in /terraform/environments/wardship #8214

Conversation

dependabot bot commented on behalf of github Oct 14, 2024

v4.3.0

What's New

What's Changed

New Contributors

github-actions bot commented Oct 14, 2024

Trivy Scan Failed

CTFLint Scan Failed

Trivy Scan Failed

dependabot bot commented on behalf of github Oct 15, 2024

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed