Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🇫🇷 Enabling Paris II: Rebaselining #6976

Merged
merged 1 commit into from
May 10, 2024
Merged

🇫🇷 Enabling Paris II: Rebaselining #6976

merged 1 commit into from
May 10, 2024

Conversation

julialawrence
Copy link
Contributor

@julialawrence julialawrence commented May 10, 2024
edited
Loading

A reference to the issue / Description of it

#6917
ministryofjustice/analytical-platform#4222

Analytical Platform had a customer request to make Bedrock available in Paris due to model selection being better than Frankfurt. The region is not currently used and therefore bootstrapped on MP.

How does this PR fix the problem?

This updates provider definitions and adds eu-west-3 to enabled regions. The last attempt had failed due to sprinkler not having been enrolled in SecurityHub at the org level. sprinkler and other accounts have now been enrolled and future accounts will be enrolled automatically.

How has this been tested?

Last attempt failed on apply to sprinkler step during the initial PR checks. The main test is running the secure-baselines component on sprinkler again.

Deployment Plan / Instructions

This shouldn't impact live services. However, it will break further secure-baselines run if the apply on sprinkler fails. The backout steps are here

{Please write here}

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account

Running Trivy in terraform/environments/bootstrap/secure-baselines
2024-05-10T07:31:28Z INFO Need to update DB
2024-05-10T07:31:28Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-10T07:31:30Z INFO Vulnerability scanning is enabled
2024-05-10T07:31:30Z INFO Misconfiguration scanning is enabled
2024-05-10T07:31:30Z INFO Need to update the built-in policies
2024-05-10T07:31:30Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-10T07:31:31Z INFO Secret scanning is enabled
2024-05-10T07:31:31Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T07:31:31Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T07:31:34Z INFO Number of language-specific files num=0
2024-05-10T07:31:34Z INFO Detected config files num=8

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/config.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/modules/cloudtrail/main.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

Running Trivy in terraform/modernisation-platform-account
2024-05-10T07:31:34Z INFO Vulnerability scanning is enabled
2024-05-10T07:31:34Z INFO Misconfiguration scanning is enabled
2024-05-10T07:31:34Z INFO Secret scanning is enabled
2024-05-10T07:31:34Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T07:31:34Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T07:32:04Z INFO Number of language-specific files num=0
2024-05-10T07:32:04Z INFO Detected config files num=22

../modules/collaborators/main.tf (terraform)

Tests: 24 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-group-with-policies/policies.tf (terraform)

Tests: 49 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 49)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:103-153 (module.config-bucket)
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf (terraform)

Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:98-107 (module.backup-eu-central-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:164-173 (module.backup-us-east-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:142-151 (module.backup-eu-west-3["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:131-140 (module.backup-eu-west-2["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:120-129 (module.backup-eu-west-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/cloudtrail/main.tf (terraform)

Tests: 5 (SUCCESSES: 4, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf (terraform)

Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:334-351 (module.config-eu-central-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:372-389 (module.config-eu-west-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:391-408 (module.config-eu-west-2["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:410-427 (module.config-eu-west-3["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:448-465 (module.config-us-east-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/github.com/terraform-aws-modules/terraform-aws-iam.git/modules/iam-group-with-policies?ref=25e2bf9f9f4757a7014b55db981be9d2beeab445/policies.tf (terraform)

Tests: 44 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 44)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/main.tf (terraform)

Tests: 39 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 39)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 5)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account

*****************************

Running Checkov in terraform/environments/bootstrap/secure-baselines
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-10 07:32:06,831 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 9, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

*****************************

Running Checkov in terraform/modernisation-platform-account
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-10 07:32:10,420 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,420 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,420 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,420 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,421 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,421 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 207, Failed checks: 0, Skipped checks: 22


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account

*****************************

Running tflint in terraform/environments/bootstrap/secure-baselines
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modernisation-platform-account
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account

*****************************

Running Trivy in terraform/environments/bootstrap/secure-baselines
2024-05-10T07:31:28Z	INFO	Need to update DB
2024-05-10T07:31:28Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-10T07:31:30Z	INFO	Vulnerability scanning is enabled
2024-05-10T07:31:30Z	INFO	Misconfiguration scanning is enabled
2024-05-10T07:31:30Z	INFO	Need to update the built-in policies
2024-05-10T07:31:30Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-10T07:31:31Z	INFO	Secret scanning is enabled
2024-05-10T07:31:31Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T07:31:31Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T07:31:34Z	INFO	Number of language-specific files	num=0
2024-05-10T07:31:34Z	INFO	Detected config files	num=8

github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/config.tf (terraform)
==========================================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/modules/cloudtrail/main.tf (terraform)
===========================================================================================================================================================
Tests: 5 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

*****************************

Running Trivy in terraform/modernisation-platform-account
2024-05-10T07:31:34Z	INFO	Vulnerability scanning is enabled
2024-05-10T07:31:34Z	INFO	Misconfiguration scanning is enabled
2024-05-10T07:31:34Z	INFO	Secret scanning is enabled
2024-05-10T07:31:34Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T07:31:34Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T07:32:04Z	INFO	Number of language-specific files	num=0
2024-05-10T07:32:04Z	INFO	Detected config files	num=22

../modules/collaborators/main.tf (terraform)
============================================
Tests: 24 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-group-with-policies/policies.tf (terraform)
===================================================================================================================================================================
Tests: 49 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 49)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf (terraform)
==========================================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf (terraform)
=============================================================================================================================================================================================================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:103-153 (module.config-bucket)
    via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
 157resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158bucket = aws_s3_bucket.default.id
 159rule {
 160apply_server_side_encryption_by_default {
 161sse_algorithm     = var.sse_algorithm
 162kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf (terraform)
=======================================================================================================================================================
Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:98-107 (module.backup-eu-central-1["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
 119   resource "aws_sns_topic" "backup_failure_topic" {
 120 [   kms_master_key_id = var.sns_backup_topic_key
 121     name              = "backup_failure_topic"
 122     tags = merge(var.tags, {
 123       Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
 124     })
 125   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:164-173 (module.backup-us-east-1["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
 119   resource "aws_sns_topic" "backup_failure_topic" {
 120 [   kms_master_key_id = var.sns_backup_topic_key
 121     name              = "backup_failure_topic"
 122     tags = merge(var.tags, {
 123       Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
 124     })
 125   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:142-151 (module.backup-eu-west-3["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
 119   resource "aws_sns_topic" "backup_failure_topic" {
 120 [   kms_master_key_id = var.sns_backup_topic_key
 121     name              = "backup_failure_topic"
 122     tags = merge(var.tags, {
 123       Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
 124     })
 125   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:131-140 (module.backup-eu-west-2["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
 119   resource "aws_sns_topic" "backup_failure_topic" {
 120 [   kms_master_key_id = var.sns_backup_topic_key
 121     name              = "backup_failure_topic"
 122     tags = merge(var.tags, {
 123       Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
 124     })
 125   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:120-129 (module.backup-eu-west-1["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
 119   resource "aws_sns_topic" "backup_failure_topic" {
 120 [   kms_master_key_id = var.sns_backup_topic_key
 121     name              = "backup_failure_topic"
 122     tags = merge(var.tags, {
 123       Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
 124     })
 125   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/cloudtrail/main.tf (terraform)
===========================================================================================================================================================
Tests: 5 (SUCCESSES: 4, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf (terraform)
=======================================================================================================================================================
Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:334-351 (module.config-eu-central-1["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
  38   resource "aws_sns_topic" "default" {
  39     name              = "config"
  40 [   kms_master_key_id = "alias/aws/sns"
  41     tags              = var.tags
  42   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:372-389 (module.config-eu-west-1["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
  38   resource "aws_sns_topic" "default" {
  39     name              = "config"
  40 [   kms_master_key_id = "alias/aws/sns"
  41     tags              = var.tags
  42   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:391-408 (module.config-eu-west-2["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
  38   resource "aws_sns_topic" "default" {
  39     name              = "config"
  40 [   kms_master_key_id = "alias/aws/sns"
  41     tags              = var.tags
  42   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:410-427 (module.config-eu-west-3["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
  38   resource "aws_sns_topic" "default" {
  39     name              = "config"
  40 [   kms_master_key_id = "alias/aws/sns"
  41     tags              = var.tags
  42   }
────────────────────────────────────────


HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.

See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
   via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
    via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:448-465 (module.config-us-east-1["enabled"])
     via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
  38   resource "aws_sns_topic" "default" {
  39     name              = "config"
  40 [   kms_master_key_id = "alias/aws/sns"
  41     tags              = var.tags
  42   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/github.com/terraform-aws-modules/terraform-aws-iam.git/modules/iam-group-with-policies?ref=25e2bf9f9f4757a7014b55db981be9d2beeab445/policies.tf (terraform)
======================================================================================================================================================================================================================================================================================
Tests: 44 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 44)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/main.tf (terraform)
==============================================================================================================================================
Tests: 39 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 39)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7/main.tf (terraform)
=========================================================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 5 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 5)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@julialawrence julialawrence marked this pull request as ready for review May 10, 2024 08:00
@julialawrence julialawrence requested a review from a team as a code owner May 10, 2024 08:00
@julialawrence julialawrence added this pull request to the merge queue May 10, 2024
Merged via the queue into main with commit a193210 May 10, 2024
16 of 17 checks passed
@julialawrence julialawrence deleted the feature/rebootstrap-france branch May 10, 2024 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sukeshreddyg sukeshreddyg sukeshreddyg approved these changes

@SteveLinden SteveLinden SteveLinden approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@julialawrence @SteveLinden @sukeshreddyg