Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump ecs::modernisation-platform-terraform-ecs-cluster from 4.3.0 to 5.0.0 in /terraform/environments/delius-core #8933

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump ecs::modernisation-platform-terraform-ecs-cluster from 4.3.0 to 5.0.0 in /terraform/environments/delius-core #8933

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 3, 2024

Bumps ecs::modernisation-platform-terraform-ecs-cluster from 4.3.0 to 5.0.0.

Release notes

Sourced from ecs::modernisation-platform-terraform-ecs-cluster's releases.

v5.0.0

What's Changed

... (truncated)

Commits
  • 46be04c feat: add option to pin service to task def revision (#331)
  • ff79da8 Merge pull request #330 from ministryofjustice/dependabot/github_actions/brid...
  • 49af132 build(deps): bump bridgecrewio/checkov-action
  • b8a9764 fix: ignore changes causes replacement of service (#326)
  • cc8faf6 Merge pull request #327 from ministryofjustice/dependabot/github_actions/aqua...
  • 9510f0f Merge pull request #329 from ministryofjustice/dependabot/github_actions/gith...
  • 410b3d6 Merge pull request #328 from ministryofjustice/dependabot/github_actions/brid...
  • 49c58b5 Bump github/codeql-action from 3.27.4 to 3.27.5
  • 58c7740 Bump bridgecrewio/checkov-action from 12.2912.0 to 12.2914.0
  • 27cdbea Bump aquasecurity/trivy-action from 0.28.0 to 0.29.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump ecs::modernisation-platform-terraform-ecs-cluster
c6af183 
Bumps [ecs::modernisation-platform-terraform-ecs-cluster](https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster) from 4.3.0 to 5.0.0.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.3.0...v5.0.0)

---
updated-dependencies:
- dependency-name: ecs::github::ministryofjustice/modernisation-platform-terraform-ecs-cluster::v4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested a review from a team as a code owner December 3, 2024 00:53
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 3, 2024
@dependabot dependabot bot requested a review from a team as a code owner December 3, 2024 00:53
@dependabot dependabot bot added the terraform Pull requests that update Terraform code label Dec 3, 2024
@dependabot dependabot bot requested a review from a team as a code owner December 3, 2024 00:53
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 3, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/delius_environment

Running Trivy in terraform/environments/delius-core/modules/delius_environment
2024-12-03T00:55:55Z INFO [vulndb] Need to update DB
2024-12-03T00:55:55Z INFO [vulndb] Downloading vulnerability DB...
2024-12-03T00:55:55Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T00:55:58Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T00:55:58Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T00:55:58Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T00:55:58Z INFO [misconfig] Need to update the built-in checks
2024-12-03T00:55:58Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-03T00:55:59Z INFO [secret] Secret scanning is enabled
2024-12-03T00:55:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T00:55:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T00:56:00Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T00:56:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, db_config, delius_microservice_configs, dms_config, env_name, env_name_to_dms_config_map, environment_config, platform_vars, tags"
2024-12-03T00:56:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.alfresco_sfs_alb" value="cty.NilVal"
2024-12-03T00:56:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.ancillary_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-03T00:56:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.delius_core_frontend_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-03T00:56:01Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open cluster: no such file or directory"
2024-12-03T00:56:02Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alfresco_efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ldap.module.efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-03T00:56:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_source" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_target" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.audited_interaction_checksum_inbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.audited_interaction_inbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.business_interaction_inbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.user_outbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_s3_endpoint.dms_audit_source_endpoint_s3" value="cty.NilVal"
2024-12-03T00:56:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_s3_endpoint.dms_user_target_endpoint_s3" value="cty.NilVal"
2024-12-03T00:56:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_primary[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-03T00:56:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_standby[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-03T00:56:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="alb_frontend.tf:43"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="alb_ancillary.tf:45"
2024-12-03T00:56:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../components/oracle_db_shared/sg.tf:16"
2024-12-03T00:56:15Z INFO Number of language-specific files num=0
2024-12-03T00:56:15Z INFO Detected config files num=17

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/delius_environment

*****************************

Running Checkov in terraform/environments/delius-core/modules/delius_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-03 00:56:18,044 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-03 00:56:18,044 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-12-03 00:56:18,044 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-03 00:56:18,045 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v5.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1521, Failed checks: 145, Skipped checks: 62

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:234-249
	Calling File: /dms.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		234 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		235 |   function_name = "dms-replication-metric-publisher"
		236 |   role          = aws_iam_role.lambda_put_metric_data_role.arn
		237 |   handler       = "dms_replication_metric.lambda_handler"
		238 |   runtime       = "python3.8"
		239 |   filename      = data.archive_file.lambda_dms_replication_metric_zip.output_path
		240 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		241 |   environment {
		242 |     variables = {
		243 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		244 |       METRIC_NAME      = "DMSReplicationFailure"
		245 |     }
		246 |   }
		247 | 
		248 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		249 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:234-249
	Calling File: /dms.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		234 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		235 |   function_name = "dms-replication-metric-publisher"
		236 |   role          = aws_iam_role.lambda_put_metric_data_role.arn
		237 |   handler       = "dms_replication_metric.lambda_handler"
		238 |   runtime       = "python3.8"
		239 |   filename      = data.archive_file.lambda_dms_replication_metric_zip.output_path
		240 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		241 |   environment {
		242 |     variables = {
		243 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		244 |       METRIC_NAME      = "DMSReplicationFailure"
		245 |     }
		246 |   }
		247 | 
		248 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		249 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:234-249
	Calling File: /dms.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		234 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		235 |   function_name = "dms-replication-metric-publisher"
		236 |   role          = aws_iam_role.lambda_put_metric_data_role.arn
		237 |   handler       = "dms_replication_metric.lambda_handler"
		238 |   runtime       = "python3.8"
		239 |   filename      = data.archive_file.lambda_dms_replication_metric_zip.output_path
		240 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		241 |   environment {
		242 |     variables = {
		243 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		244 |       METRIC_NAME      = "DMSReplicationFailure"
		245 |     }
		246 |   }
		247 | 
		248 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		249 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:234-249
	Calling File: /dms.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		234 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		235 |   function_name = "dms-replication-metric-publisher"
		236 |   role          = aws_iam_role.lambda_put_metric_data_role.arn
		237 |   handler       = "dms_replication_metric.lambda_handler"
		238 |   runtime       = "python3.8"
		239 |   filename      = data.archive_file.lambda_dms_replication_metric_zip.output_path
		240 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		241 |   environment {
		242 |     variables = {
		243 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		244 |       METRIC_NAME      = "DMSReplicationFailure"
		245 |     }
		246 |   }
		247 | 
		248 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		249 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:234-249
	Calling File: /dms.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		234 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		235 |   function_name = "dms-replication-metric-publisher"
		236 |   role          = aws_iam_role.lambda_put_metric_data_role.arn
		237 |   handler       = "dms_replication_metric.lambda_handler"
		238 |   runtime       = "python3.8"
		239 |   filename      = data.archive_file.lambda_dms_replication_metric_zip.output_path
		240 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		241 |   environment {
		242 |     variables = {
		243 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		244 |       METRIC_NAME      = "DMSReplicationFailure"
		245 |     }
		246 |   }
		247 | 
		248 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		249 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:234-249
	Calling File: /dms.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		234 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		235 |   function_name = "dms-replication-metric-publisher"
		236 |   role          = aws_iam_role.lambda_put_metric_data_role.arn
		237 |   handler       = "dms_replication_metric.lambda_handler"
		238 |   runtime       = "python3.8"
		239 |   filename      = data.archive_file.lambda_dms_replication_metric_zip.output_path
		240 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		241 |   environment {
		242 |     variables = {
		243 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		244 |       METRIC_NAME      = "DMSReplicationFailure"
		245 |     }
		246 |   }
		247 | 
		248 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		249 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.dms.aws_sns_topic.dms_events_topic
	File: /../components/dms/cloudwatch-alarms.tf:289-295
	Calling File: /dms.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		289 | resource "aws_sns_topic" "dms_events_topic" {
		290 |   name = "delius-dms-events-topic"
		291 | 
		292 |   lambda_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn
		293 |   lambda_success_feedback_sample_rate = 100
		294 |   lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_role.arn
		295 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:189-227
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /alb_frontend.tf:38-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		38 | resource "aws_lb" "delius_core_frontend" {
		39 |   #checkov:skip=CKV_AWS_91 "ignore"
		40 |   #checkov:skip=CKV2_AWS_28 "ignore"
		41 | 
		42 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		43 |   internal           = false
		44 |   load_balancer_type = "application"
		45 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		46 |   subnets            = var.account_config.public_subnet_ids
		47 | 
		48 |   enable_deletion_protection = false
		49 |   drop_invalid_header_fields = true
		50 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.alfresco_sfs
	File: /alfresco.tf:238-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		238 | resource "aws_lb" "alfresco_sfs" {
		239 |   name               = "${var.app_name}-${var.env_name}-alf-sfs-alb"
		240 |   internal           = true
		241 |   load_balancer_type = "application"
		242 |   security_groups    = [aws_security_group.alfresco_sfs_alb.id]
		243 |   subnets            = var.account_config.private_subnet_ids
		244 | 
		245 |   enable_deletion_protection = false
		246 |   drop_invalid_header_fields = true
		247 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.alfresco_sfs
	File: /alfresco.tf:238-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		238 | resource "aws_lb" "alfresco_sfs" {
		239 |   name               = "${var.app_name}-${var.env_name}-alf-sfs-alb"
		240 |   internal           = true
		241 |   load_balancer_type = "application"
		242 |   security_groups    = [aws_security_group.alfresco_sfs_alb.id]
		243 |   subnets            = var.account_config.private_subnet_ids
		244 | 
		245 |   enable_deletion_protection = false
		246 |   drop_invalid_header_fields = true
		247 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.cluster
	File: /common_ecs.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_security_group" "cluster" {
		10 |   name_prefix = "ecs-cluster-${var.env_name}"
		11 |   vpc_id      = var.account_config.shared_vpc_id
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /common_ecs.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v5.0.0"
		3 | 
		4 |   name = "delius-core-${var.env_name}-cluster"
		5 | 
		6 |   tags = local.tags
		7 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /ldap_ecs.tf:356-360
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		356 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		357 |   name              = "/ecs/ldap-automation-${var.env_name}"
		358 |   retention_in_days = 7
		359 |   tags              = var.tags
		360 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /ldap_ecs.tf:356-360
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		356 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		357 |   name              = "/ecs/ldap-automation-${var.env_name}"
		358 |   retention_in_days = 7
		359 |   tags              = var.tags
		360 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.pdfcreation_secret
	File: /newtech.tf:53-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "pdfcreation_secret" {
		54 |   name  = "/${var.env_name}/delius/newtech/web/params_secret_key"
		55 |   type  = "SecureString"
		56 |   value = "DEFAULT"
		57 |   lifecycle {
		58 |     ignore_changes = [value]
		59 |   }
		60 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_core_alarms
	File: /pagerduty.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		2 | resource "aws_sns_topic" "delius_core_alarms" {
		3 |   name = "delius-core-${var.env_name}-alarms-topic"
		4 |   tags = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:8-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		8  | module "pagerduty_core_alerts" {
		9  | 
		10 |   depends_on = [
		11 |     aws_sns_topic.delius_core_alarms
		12 |   ]
		13 | 
		14 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		15 |   sns_topics                = [aws_sns_topic.delius_core_alarms.name]
		16 |   pagerduty_integration_key = var.pagerduty_integration_key
		17 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.security_key
	File: /pwm.tf:130-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		130 | resource "aws_ssm_parameter" "security_key" {
		131 |   name  = "/${var.env_name}/pwm/security_key"
		132 |   type  = "SecureString"
		133 |   value = random_id.security_key.hex
		134 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.pwm_ses_smtp_user
	File: /pwm.tf:197-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		197 | resource "aws_iam_user" "pwm_ses_smtp_user" {
		198 |   name = "${var.env_name}-pwm-smtp-user"
		199 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.pwm_ses_smtp_user
	File: /pwm.tf:205-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		205 | resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
		206 |   name = "${var.env_name}-pwm-ses-smtp-user-policy"
		207 |   user = aws_iam_user.pwm_ses_smtp_user.name
		208 | 
		209 |   policy = jsonencode({
		210 |     Version = "2012-10-17",
		211 |     Statement = [
		212 |       {
		213 |         Effect = "Allow",
		214 |         Action = [
		215 |           "ses:SendRawEmail",
		216 |           "ses:SendEmail"
		217 |         ],
		218 |         Resource = "*"
		219 |       }
		220 |     ]
		221 |   })
		222 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.pwm_ses_smtp_user
	File: /pwm.tf:205-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		205 | resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
		206 |   name = "${var.env_name}-pwm-ses-smtp-user-policy"
		207 |   user = aws_iam_user.pwm_ses_smtp_user.name
		208 | 
		209 |   policy = jsonencode({
		210 |     Version = "2012-10-17",
		211 |     Statement = [
		212 |       {
		213 |         Effect = "Allow",
		214 |         Action = [
		215 |           "ses:SendRawEmail",
		216 |           "ses:SendEmail"
		217 |         ],
		218 |         Resource = "*"
		219 |       }
		220 |     ]
		221 |   })
		222 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.pwm_ses_smtp_user
	File: /pwm.tf:224-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		224 | resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
		225 |   name = "/${var.env_name}/pwm/ses_smtp"
		226 |   type = "SecureString"
		227 |   value = jsonencode({
		228 |     user              = aws_iam_user.pwm_ses_smtp_user.name,
		229 |     key               = aws_iam_access_key.pwm_ses_smtp_user.id,
		230 |     secret            = aws_iam_access_key.pwm_ses_smtp_user.secret
		231 |     ses_smtp_user     = aws_iam_access_key.pwm_ses_smtp_user.id
		232 |     ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
		233 |   })
		234 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_host
	File: /ssm.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		29 | resource "aws_ssm_parameter" "ldap_host" {
		30 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		31 |   type  = "SecureString"
		32 |   value = module.ldap_ecs.nlb_dns_name
		33 |   lifecycle {
		34 |     ignore_changes = [
		35 |       value
		36 |     ]
		37 |   }
		38 |   tags = var.tags
		39 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:41-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		41 | resource "aws_ssm_parameter" "ldap_admin_password" {
		42 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		43 |   type  = "SecureString"
		44 |   value = "INITIAL_VALUE_OVERRIDDEN"
		45 |   lifecycle {
		46 |     ignore_changes = [
		47 |       value
		48 |     ]
		49 |   }
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_seed_uri
	File: /ssm.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "ldap_seed_uri" {
		54 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_principal
	File: /ssm.tf:65-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		65 | resource "aws_ssm_parameter" "ldap_principal" {
		66 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		67 |   type  = "SecureString"
		68 |   value = "INITIAL_VALUE_OVERRIDDEN"
		69 |   lifecycle {
		70 |     ignore_changes = [
		71 |       value
		72 |     ]
		73 |   }
		74 |   tags = var.tags
		75 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_rbac_version
	File: /ssm.tf:77-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		77 | resource "aws_ssm_parameter" "ldap_rbac_version" {
		78 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		79 |   type  = "SecureString"
		80 |   value = "INITIAL_VALUE_OVERRIDDEN"
		81 |   lifecycle {
		82 |     ignore_changes = [
		83 |       value
		84 |     ]
		85 |   }
		86 |   tags = var.tags
		87 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:89-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		89  | resource "aws_ssm_parameter" "oasys_user" {
		90  |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		91  |   type  = "SecureString"
		92  |   value = "INITIAL_VALUE_OVERRIDDEN"
		93  |   lifecycle {
		94  |     ignore_changes = [
		95  |       value
		96  |     ]
		97  |   }
		98  |   tags = local.tags
		99  | 
		100 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:102-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		102 | resource "aws_ssm_parameter" "oasys_password" {
		103 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		104 |   type  = "SecureString"
		105 |   value = "INITIAL_VALUE_OVERRIDDEN"
		106 |   lifecycle {
		107 |     ignore_changes = [
		108 |       value
		109 |     ]
		110 |   }
		111 |   tags = local.tags
		112 | 
		113 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:115-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		115 | resource "aws_ssm_parameter" "iaps_user" {
		116 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		117 |   type  = "SecureString"
		118 |   value = "INITIAL_VALUE_OVERRIDDEN"
		119 |   lifecycle {
		120 |     ignore_changes = [
		121 |       value
		122 |     ]
		123 |   }
		124 |   tags = local.tags
		125 | 
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:128-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "iaps_user_password" {
		129 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		130 |   type  = "SecureString"
		131 |   value = "INITIAL_VALUE_OVERRIDDEN"
		132 |   lifecycle {
		133 |     ignore_changes = [
		134 |       value
		135 |     ]
		136 |   }
		137 |   tags = local.tags
		138 | 
		139 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:141-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		141 | resource "aws_ssm_parameter" "dss_user" {
		142 |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		143 |   type  = "SecureString"
		144 |   value = "INITIAL_VALUE_OVERRIDDEN"
		145 |   lifecycle {
		146 |     ignore_changes = [
		147 |       value
		148 |     ]
		149 |   }
		150 |   tags = local.tags
		151 | 
		152 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:154-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		154 | resource "aws_ssm_parameter" "dss_user_password" {
		155 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		156 |   type  = "SecureString"
		157 |   value = "INITIAL_VALUE_OVERRIDDEN"
		158 |   lifecycle {
		159 |     ignore_changes = [
		160 |       value
		161 |     ]
		162 |   }
		163 |   tags = local.tags
		164 | 
		165 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:167-178
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		167 | resource "aws_ssm_parameter" "casenotes_user" {
		168 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		169 |   type  = "SecureString"
		170 |   value = "INITIAL_VALUE_OVERRIDDEN"
		171 |   lifecycle {
		172 |     ignore_changes = [
		173 |       value
		174 |     ]
		175 |   }
		176 |   tags = local.tags
		177 | 
		178 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:180-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		180 | resource "aws_ssm_parameter" "casenotes_user_password" {
		181 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		182 |   type  = "SecureString"
		183 |   value = "INITIAL_VALUE_OVERRIDDEN"
		184 |   lifecycle {
		185 |     ignore_changes = [
		186 |       value
		187 |     ]
		188 |   }
		189 |   tags = local.tags
		190 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:192-203
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		192 | resource "aws_ssm_parameter" "test_user_password" {
		193 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		194 |   type  = "SecureString"
		195 |   value = "INITIAL_VALUE_OVERRIDDEN"
		196 |   lifecycle {
		197 |     ignore_changes = [
		198 |       value
		199 |     ]
		200 |   }
		201 | 
		202 |   tags = local.tags
		203 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.performance_test_user_password
	File: /ssm.tf:205-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		205 | resource "aws_ssm_parameter" "performance_test_user_password" {
		206 |   name  = format("/%s-%s/performance_test_user_password", var.account_info.application_name, var.env_name)
		207 |   type  = "SecureString"
		208 |   value = "INITIAL_VALUE_OVERRIDDEN"
		209 |   lifecycle {
		210 |     ignore_changes = [
		211 |       value
		212 |     ]
		213 |   }
		214 | 
		215 |   tags = local.tags
		216 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:218-230
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		218 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		219 |   name  = format("/%s-%s/gdpr_api_client_secret", var.account_info.application_name, var.env_name)
		220 |   type  = "SecureString"
		221 |   value = "INITIAL_VALUE_OVERRIDDEN"
		222 | 
		223 |   lifecycle {
		224 |     ignore_changes = [
		225 |       value
		226 |     ]
		227 |   }
		228 | 
		229 |   tags = local.tags
		230 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:232-244
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		232 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		233 |   name  = format("/%s-%s/pwm_config_password", var.account_info.application_name, var.env_name)
		234 |   type  = "SecureString"
		235 |   value = "INITIAL_VALUE_OVERRIDDEN"
		236 | 
		237 |   lifecycle {
		238 |     ignore_changes = [
		239 |       value
		240 |     ]
		241 |   }
		242 | 
		243 |   tags = local.tags
		244 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:246-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		246 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		247 |   name  = format("/%s-%s/merge_api_client_secret", var.account_info.application_name, var.env_name)
		248 |   type  = "SecureString"
		249 |   value = "INITIAL_VALUE_OVERRIDDEN"
		250 | 
		251 |   lifecycle {
		252 |     ignore_changes = [
		253 |       value
		254 |     ]
		255 |   }
		256 | 
		257 |   tags = local.tags
		258 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:264-276
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		264 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		265 |   name  = format("/%s-%s/umt_client_secret", var.account_info.application_name, var.env_name)
		266 |   type  = "SecureString"
		267 |   value = "INITIAL_VALUE_OVERRIDDEN"
		268 | 
		269 |   lifecycle {
		270 |     ignore_changes = [
		271 |       value
		272 |     ]
		273 |   }
		274 | 
		275 |   tags = local.tags
		276 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_umt_jwt_secret
	File: /ssm.tf:278-290
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		278 | resource "aws_ssm_parameter" "delius_core_umt_jwt_secret" {
		279 |   name  = format("/%s-%s/umt_jwt_secret", var.account_info.application_name, var.env_name)
		280 |   type  = "SecureString"
		281 |   value = "INITIAL_VALUE_OVERRIDDEN"
		282 | 
		283 |   lifecycle {
		284 |     ignore_changes = [
		285 |       value
		286 |     ]
		287 |   }
		288 | 
		289 |   tags = local.tags
		290 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_umt_delius_secret
	File: /ssm.tf:292-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		292 | resource "aws_ssm_parameter" "delius_core_umt_delius_secret" {
		293 |   name  = format("/%s-%s/umt_delius_secret", var.account_info.application_name, var.env_name)
		294 |   type  = "SecureString"
		295 |   value = "INITIAL_VALUE_OVERRIDDEN"
		296 | 
		297 |   lifecycle {
		298 |     ignore_changes = [
		299 |       value
		300 |     ]
		301 |   }
		302 | 
		303 |   tags = local.tags
		304 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_admin_password
	File: /ssm.tf:306-316
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		306 | resource "aws_ssm_parameter" "delius_core_gdpr_db_admin_password" {
		307 |   name  = format("/%s-%s/gdpr/api/db_admin_password", var.account_info.application_name, var.env_name)
		308 |   type  = "SecureString"
		309 |   value = "INITIAL_VALUE_OVERRIDDEN"
		310 |   lifecycle {
		311 |     ignore_changes = [
		312 |       value
		313 |     ]
		314 |   }
		315 |   tags = local.tags
		316 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_pool_password
	File: /ssm.tf:318-328
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		318 | resource "aws_ssm_parameter" "delius_core_gdpr_db_pool_password" {
		319 |   name  = format("/%s-%s/gdpr/api/db_pool_password", var.account_info.application_name, var.env_name)
		320 |   type  = "SecureString"
		321 |   value = "INITIAL_VALUE_OVERRIDDEN"
		322 |   lifecycle {
		323 |     ignore_changes = [
		324 |       value
		325 |     ]
		326 |   }
		327 |   tags = local.tags
		328 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_admin_password
	File: /ssm.tf:330-340
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		330 | resource "aws_ssm_parameter" "delius_core_merge_db_admin_password" {
		331 |   name  = format("/%s-%s/merge/api/db_admin_password", var.account_info.application_name, var.env_name)
		332 |   type  = "SecureString"
		333 |   value = "INITIAL_VALUE_OVERRIDDEN"
		334 |   lifecycle {
		335 |     ignore_changes = [
		336 |       value
		337 |     ]
		338 |   }
		339 |   tags = local.tags
		340 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_pool_password
	File: /ssm.tf:342-352
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		342 | resource "aws_ssm_parameter" "delius_core_merge_db_pool_password" {
		343 |   name  = format("/%s-%s/merge/api/db_pool_password", var.account_info.application_name, var.env_name)
		344 |   type  = "SecureString"
		345 |   value = "INITIAL_VALUE_OVERRIDDEN"
		346 |   lifecycle {
		347 |     ignore_changes = [
		348 |       value
		349 |     ]
		350 |   }
		351 |   tags = local.tags
		352 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:358-370
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		358 | module "s3_bucket_ssm_sessions" {
		359 | 
		360 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		361 | 
		362 |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		363 |   versioning_enabled = false
		364 | 
		365 |   providers = {
		366 |     aws.bucket-replication = aws
		367 |   }
		368 | 
		369 |   tags = var.tags
		370 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.usermanagement_secret
	File: /weblogic_eis.tf:131-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		131 | resource "aws_ssm_parameter" "usermanagement_secret" {
		132 |   name  = "/${var.env_name}/delius/umt/umt/delius_secret"
		133 |   type  = "SecureString"
		134 |   value = "DEFAULT"
		135 |   lifecycle {
		136 |     ignore_changes = [value]
		137 |   }
		138 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jdbc_url
	File: /weblogic_params.tf:6-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = "jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN"
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jdbc_password
	File: /weblogic_params.tf:23-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		23 | resource "aws_ssm_parameter" "jdbc_password" {
		24 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		25 |   type  = "SecureString"
		26 |   value = "INITIAL_VALUE_OVERRIDDEN"
		27 |   tags  = local.tags
		28 |   lifecycle {
		29 |     ignore_changes = [
		30 |       value
		31 |     ]
		32 |   }
		33 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.weblogic_admin_username
	File: /weblogic_params.tf:40-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		40 | resource "aws_ssm_parameter" "weblogic_admin_username" {
		41 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		42 |   type  = "SecureString"
		43 |   value = "INITIAL_VALUE_OVERRIDDEN"
		44 |   lifecycle {
		45 |     ignore_changes = [
		46 |       value
		47 |     ]
		48 |   }
		49 |   tags = local.tags
		50 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.weblogic_admin_password
	File: /weblogic_params.tf:56-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		56 | resource "aws_ssm_parameter" "weblogic_admin_password" {
		57 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.alfresco_sfs_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.alfresco_sfs_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.ldap_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.ldap_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.pwm.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.pwm.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.weblogic_eis.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.weblogic_eis.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alfresco_sfs_ecs.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alfresco_sfs_ecs.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap_ecs.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap_ecs.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.pwm.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.pwm.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic_eis.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic_eis.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.ldap_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.ldap_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.ldap_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.alfresco_sfs_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.alfresco_sfs_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.alfresco_sfs_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /../components/ldap/efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /../components/ldap/efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.alfresco_efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /alfresco.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.alfresco_efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /alfresco.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.weblogic_ssm.aws_ssm_parameter.secure
	File: /../helpers/ssm_params/main.tf:11-19
	Calling File: /weblogic_params.tf:135-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		11 | resource "aws_ssm_parameter" "secure" {
		12 |   for_each = toset([for item in var.params_secure : item])
		13 |   name     = "/${var.environment_name}/${var.application_name}/${each.value}"
		14 |   type     = "SecureString"
		15 |   value    = "change_me"
		16 |   lifecycle {
		17 |     ignore_changes = [value]
		18 |   }
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap.module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: module.alfresco_efs.aws_efs_file_system.this
	File: /../helpers/efs/main.tf:3-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		3  | resource "aws_efs_file_system" "this" {
		4  |   creation_token                  = var.creation_token
		5  |   encrypted                       = var.encrypted
		6  |   kms_key_id                      = var.kms_key_arn
		7  |   throughput_mode                 = var.throughput_mode
		8  |   provisioned_throughput_in_mibps = var.provisioned_throughput_in_mibps
		9  | 
		10 |   tags = merge(
		11 |     var.tags,
		12 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.name}" },
		13 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		14 |   )
		15 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.weblogic_eis_google_analytics_id
	File: /weblogic_eis.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		116 | resource "aws_ssm_parameter" "weblogic_eis_google_analytics_id" {
		117 |   name  = "/${var.env_name}/delius/monitoring/analytics/google_id"
		118 |   type  = "String"
		119 |   value = "DEFAULT"
		120 |   lifecycle {
		121 |     ignore_changes = [value]
		122 |   }
		123 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.weblogic_ssm.aws_ssm_parameter.plain
	File: /../helpers/ssm_params/main.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		1 | resource "aws_ssm_parameter" "plain" {
		2 |   for_each = toset([for item in var.params_plain : item])
		3 |   name     = "/${var.environment_name}/${var.application_name}/${each.value}"
		4 |   type     = "String"
		5 |   value    = "change_me"
		6 |   lifecycle {
		7 |     ignore_changes = [value]
		8 |   }
		9 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.ldap_ecs.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.pwm.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.weblogic.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.weblogic_eis.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster
	File: /common_ecs.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		9  | resource "aws_security_group" "cluster" {
		10 |   name_prefix = "ecs-cluster-${var.env_name}"
		11 |   vpc_id      = var.account_config.shared_vpc_id
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.alfresco_sfs_ecs.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.ldap_ecs.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.pwm.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.weblogic.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.weblogic_eis.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/delius_environment

*****************************

Running tflint in terraform/environments/delius-core/modules/delius_environment
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/delius_environment/pwm.tf line 136:
 136: resource "random_id" "security_key" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/delius_environment

*****************************

Running Trivy in terraform/environments/delius-core/modules/delius_environment
2024-12-03T00:55:55Z	INFO	[vulndb] Need to update DB
2024-12-03T00:55:55Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-03T00:55:55Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T00:55:58Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T00:55:58Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T00:55:58Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T00:55:58Z	INFO	[misconfig] Need to update the built-in checks
2024-12-03T00:55:58Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-03T00:55:59Z	INFO	[secret] Secret scanning is enabled
2024-12-03T00:55:59Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T00:55:59Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T00:56:00Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T00:56:00Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, db_config, delius_microservice_configs, dms_config, env_name, env_name_to_dms_config_map, environment_config, platform_vars, tags"
2024-12-03T00:56:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.alfresco_sfs_alb" value="cty.NilVal"
2024-12-03T00:56:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.ancillary_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-03T00:56:00Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.delius_core_frontend_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-03T00:56:01Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open cluster: no such file or directory"
2024-12-03T00:56:02Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alfresco_efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ldap.module.efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-03T00:56:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_source" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_target" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.audited_interaction_checksum_inbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.audited_interaction_inbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.business_interaction_inbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.user_outbound_replication" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_s3_endpoint.dms_audit_source_endpoint_s3" value="cty.NilVal"
2024-12-03T00:56:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_s3_endpoint.dms_user_target_endpoint_s3" value="cty.NilVal"
2024-12-03T00:56:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_primary[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-03T00:56:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_standby[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-03T00:56:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="alb_frontend.tf:43"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="alb_ancillary.tf:45"
2024-12-03T00:56:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../components/oracle_db_shared/sg.tf:16"
2024-12-03T00:56:15Z	INFO	Number of language-specific files	num=0
2024-12-03T00:56:15Z	INFO	Detected config files	num=17

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────


trivy_exitcode=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants