*****************************

TFSEC will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running TFSEC in terraform/environments/ccms-ebs
Excluding the following checks: AWS095

Result #1 CRITICAL Listener uses an outdated TLS policy. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:100
────────────────────────────────────────────────────────────────────────────────
   91    resource "aws_lb_listener" "webgate_listener" {
   ..  
  100  [   ssl_policy        = "ELBSecurityPolicy-2016-08" ("ELBSecurityPolicy-2016-08")
  ...  
  107    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-use-secure-tls-policy
      Impact The SSL policy is outdated and has known vulnerabilities
  Resolution Use a more recent TLS/SSL policy for the load balancer

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/use-secure-tls-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Listener uses an outdated TLS policy. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:162
────────────────────────────────────────────────────────────────────────────────
  153    resource "aws_lb_listener" "webgate_public_listener" {
  ...  
  162  [   ssl_policy        = "ELBSecurityPolicy-2016-08" ("ELBSecurityPolicy-2016-08")
  ...  
  169    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-use-secure-tls-policy
      Impact The SSL policy is outdated and has known vulnerabilities
  Resolution Use a more recent TLS/SSL policy for the load balancer

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/use-secure-tls-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Listener uses an outdated TLS policy. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:30
────────────────────────────────────────────────────────────────────────────────
   21    resource "aws_lb_listener" "ebsapps_listener" {
   ..  
   30  [   ssl_policy        = "ELBSecurityPolicy-2016-08" ("ELBSecurityPolicy-2016-08")
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-use-secure-tls-policy
      Impact The SSL policy is outdated and has known vulnerabilities
  Resolution Use a more recent TLS/SSL policy for the load balancer

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/use-secure-tls-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #4 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:1-19
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_lb" "ebsapps_lb" {
    2  │   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
    3  │   internal           = false
    4  │   load_balancer_type = "application"
    5  │   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
    6  │   subnets            = data.aws_subnets.shared-public.ids
    7  │ 
    8  │   enable_deletion_protection = true
    9  └ 
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #5 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:133-151
────────────────────────────────────────────────────────────────────────────────
  133  ┌ resource "aws_lb" "webgate_public_lb" {
  134  │   name               = lower(format("public-alb-webgate"))
  135  │   internal           = false
  136  │   load_balancer_type = "application"
  137  │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  138  │   subnets            = data.aws_subnets.shared-public.ids
  139  │ 
  140  │   enable_deletion_protection = true
  141  └ 
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:135
────────────────────────────────────────────────────────────────────────────────
  133    resource "aws_lb" "webgate_public_lb" {
  ...  
  135  [   internal           = false (false)
  ...  
  151    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:3
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_lb" "ebsapps_lb" {
    .  
    3  [   internal           = false (false)
   ..  
   19    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #8 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  alb.tf:70-89
────────────────────────────────────────────────────────────────────────────────
   70  ┌ resource "aws_lb" "webgate_lb" {
   71  │   count              = local.is-production ? 1 : 1
   72  │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   73  │   internal           = true
   74  │   load_balancer_type = "application"
   75  │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   76  │   subnets            = data.aws_subnets.shared-private.ids
   77  │ 
   78  └   enable_deletion_protection = true
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #9 HIGH IAM policy document uses sensitive action 'ec2:CreateSnapshot' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  data_lifecycle_manager.tf:39
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_iam_role_policy" "dlm_lifecycle" {
   ..  
   39  [          "Resource": "*"
   ..  
   51    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #10 HIGH IAM policy document uses sensitive action 'ec2:CreateTags' on wildcarded resource 'arn:aws:ec2:*::snapshot/*' 
────────────────────────────────────────────────────────────────────────────────
  data_lifecycle_manager.tf:46
────────────────────────────────────────────────────────────────────────────────
   22    resource "aws_iam_role_policy" "dlm_lifecycle" {
   ..  
   46  [          "Resource": "arn:aws:ec2:*::snapshot/*"
   ..  
   51    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #11 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  ec2_oracle_accessgate.tf:1-103
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_instance" "ec2_accessgate" {
    2  │   count                  = local.application_data.accounts[local.environment].accessgate_no_instances
    3  │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
    4  │   ami                    = data.aws_ami.accessgate.id
    5  │   key_name               = local.application_data.accounts[local.environment].key_name
    6  │   vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
    7  │   subnet_id              = local.environment == "development" ? local.data_subnets[count.index] : local.private_subnets[count.index]
    8  │   #subnet_id                   = data.aws_subnet.data_subnets_a.id
    9  └   monitoring                  = true
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH Root block device is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ec2_oracle_ebs.tf:2-91
────────────────────────────────────────────────────────────────────────────────
    2  ┌ resource "aws_instance" "ec2_oracle_ebs" {
    3  │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
    4  │   #ami                         = data.aws_ami.oracle_db.id
    5  │   ami                         = local.environment == "development" ? local.application_data.accounts[local.environment].restored_db_image : data.aws_ami.oracle_db.id
    6  │   key_name                    = local.application_data.accounts[local.environment].key_name
    7  │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
    8  │   subnet_id                   = data.aws_subnet.data_subnets_a.id
    9  │   monitoring                  = true
   10  └   ebs_optimized               = false
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enable-at-rest-encryption
      Impact The block device could be compromised and read from
  Resolution Turn on encryption for all block devices

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enable-at-rest-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  ec2_oracle_ebs_apps.tf:1-115
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_instance" "ec2_ebsapps" {
    2  │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
    3  │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
    4  │   ami                    = data.aws_ami.oracle_base_prereqs.id
    5  │   key_name               = local.application_data.accounts[local.environment].key_name
    6  │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
    7  │   subnet_id              = local.environment == "development" ? local.data_subnets[count.index] : local.private_subnets[count.index]
    8  │   #subnet_id                   = data.aws_subnet.data_subnets_a.id
    9  └   monitoring                  = true
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  ec2_oracle_webgate.tf:1-103
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_instance" "ec2_webgate" {
    2  │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
    3  │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
    4  │   ami                    = data.aws_ami.webgate.id
    5  │   key_name               = local.application_data.accounts[local.environment].key_name
    6  │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
    7  │   subnet_id              = local.environment == "development" ? local.data_subnets[count.index] : local.private_subnets[count.index]
    8  │   #subnet_id                   = data.aws_subnet.data_subnets_a.id
    9  └   monitoring                  = true
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'arn:aws:logs:*:*:*' 
────────────────────────────────────────────────────────────────────────────────
  iam.tf:107
────────────────────────────────────────────────────────────────────────────────
  102    resource "aws_iam_policy" "cw_logging_policy" {
  ...  
  107  [     {
  ...  
  126    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #16-18 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource 'arn:aws:s3:::ccms-ebs-*-dbbackup' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  iam.tf:138
────────────────────────────────────────────────────────────────────────────────
  133    resource "aws_iam_policy" "rman_to_s3" {
  ...  
  138  [     {
  ...  
  173    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - iam.tf:133-173 (aws_iam_policy.rman_to_s3) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #19-21 HIGH IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource 'arn:aws:logs:eu-west-2::log-group:/aws/ssm/*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  iam.tf:7
────────────────────────────────────────────────────────────────────────────────
    2    resource "aws_iam_policy" "ec2_ssm_policy" {
    .  
    7  [     {
   ..  
   49    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - iam.tf:2-49 (aws_iam_policy.ec2_ssm_policy) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  nlb.tf:100
────────────────────────────────────────────────────────────────────────────────
   98    resource "aws_lb" "webgate_nlb" {
   ..  
  100  [   internal           = false (false)
  ...  
  124    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  nlb.tf:21
────────────────────────────────────────────────────────────────────────────────
   19    resource "aws_lb" "ebsapps_nlb" {
   ..  
   21  [   internal           = false (false)
   ..  
   45    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Topic encryption does not use a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  sns.tf:20
────────────────────────────────────────────────────────────────────────────────
   18    resource "aws_sns_topic" "cw_alerts" {
   19      name = "ccms-ebs-ec2-alerts"
   20  [   kms_master_key_id = "alias/aws/sns" ("alias/aws/sns")
   21    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-topic-encryption-use-cmk
      Impact Key management very limited when using default keys.
  Resolution Use a CMK for SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/topic-encryption-use-cmk/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  sns.tf:34-37
────────────────────────────────────────────────────────────────────────────────
   34    resource "aws_sns_topic" "s3_topic" {
   35      name   = "s3-event-notification-topic"
   36      policy = data.aws_iam_policy_document.s3_topic_policy.json
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #26 HIGH Topic encryption does not use a customer managed key. 
────────────────────────────────────────────────────────────────────────────────
  sns.tf:52
────────────────────────────────────────────────────────────────────────────────
   50    resource "aws_sns_topic" "ddos_alarm" {
   51      name              = format("%s_ddos_alarm", local.application_name)
   52  [   kms_master_key_id = "alias/aws/sns" ("alias/aws/sns")
   53    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-topic-encryption-use-cmk
      Impact Key management very limited when using default keys.
  Resolution Use a CMK for SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/topic-encryption-use-cmk/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Results #27-28 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.2.0/main.tf:159
   via s3.tf:190-257 (module.s3-bucket-dbbackup)
────────────────────────────────────────────────────────────────────────────────
  156    resource "aws_s3_bucket_versioning" "default" {
  157      bucket = aws_s3_bucket.default.id
  158      versioning_configuration {
  159  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  160      }
  161    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.2.0/main.tf:99-166 (module.s3-bucket-logging)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.2.0/main.tf:190-257 (module.s3-bucket-dbbackup)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  waf.tf:93-100
────────────────────────────────────────────────────────────────────────────────
   93    resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
   94      name              = "aws-waf-logs-ebs/ebs-waf-logs"
   95      retention_in_days = 30
   96    
   97      tags = merge(local.tags,
   98        { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
   99      )
  100    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.634836ms
  parsing              554.981887ms
  adaptation           4.728153ms
  checks               50.650174ms
  total                612.99505ms

  counts
  ──────────────────────────────────────────
  modules downloaded   1
  modules processed    11
  blocks processed     588
  files read           59

  results
  ──────────────────────────────────────────
  passed               148
  ignored              15
  critical             3
  high                 23
  medium               2
  low                  1

  148 passed, 15 ignored, 29 potential problem(s) detected.

tfsec_exitcode=1

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
2023-05-26 07:44:32,915 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v1.0.0:None (for external modules, the --download-external-modules flag is required)
2023-05-26 07:44:32,915 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 479, Failed checks: 44, Skipped checks: 0

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /alb.tf:1-19
	Guide: https://docs.bridgecrew.io/docs/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /alb.tf:39-54
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /alb.tf:70-89
	Guide: https://docs.bridgecrew.io/docs/ensure-that-alb-drops-http-headers

		70 | resource "aws_lb" "webgate_lb" {
		71 |   count              = local.is-production ? 1 : 1
		72 |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		73 |   internal           = true
		74 |   load_balancer_type = "application"
		75 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		76 |   subnets            = data.aws_subnets.shared-private.ids
		77 | 
		78 |   enable_deletion_protection = true
		79 | 
		80 |   access_logs {
		81 |     bucket  = module.s3-bucket-logging.bucket.id
		82 |     prefix  = local.lb_log_prefix_wgate
		83 |     enabled = true
		84 |   }
		85 | 
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /alb.tf:109-121
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		109 | resource "aws_lb_target_group" "webgate_tg" {
		110 |   count    = local.is-production ? 1 : 1
		111 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		112 |   port     = 5401
		113 |   protocol = "HTTP"
		114 |   vpc_id   = data.aws_vpc.shared.id
		115 |   health_check {
		116 |     port     = 5401
		117 |     protocol = "HTTP"
		118 |     matcher  = 302
		119 |     timeout  = 10
		120 |   }
		121 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /alb.tf:133-151
	Guide: https://docs.bridgecrew.io/docs/ensure-that-alb-drops-http-headers

		133 | resource "aws_lb" "webgate_public_lb" {
		134 |   name               = lower(format("public-alb-webgate"))
		135 |   internal           = false
		136 |   load_balancer_type = "application"
		137 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		138 |   subnets            = data.aws_subnets.shared-public.ids
		139 | 
		140 |   enable_deletion_protection = true
		141 | 
		142 |   access_logs {
		143 |     bucket  = module.s3-bucket-logging.bucket.id
		144 |     prefix  = local.lb_log_prefix_wgate_public
		145 |     enabled = true
		146 |   }
		147 | 
		148 |   tags = merge(local.tags,
		149 |     { Name = lower(format("public-alb-webgate")) }
		150 |   )
		151 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /alb.tf:171-182
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		171 | resource "aws_lb_target_group" "webgate_tg_public" {
		172 |   name     = lower(format("public-alb-webgate-tg"))
		173 |   port     = 5401
		174 |   protocol = "HTTP"
		175 |   vpc_id   = data.aws_vpc.shared.id
		176 |   health_check {
		177 |     port     = 5401
		178 |     protocol = "HTTP"
		179 |     matcher  = 302
		180 |     timeout  = 10
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure IAM policies limit resource access"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /cloudwatch.tf:52-104

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /cloudwatch.tf:14-25
	Guide: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "groups" {
		15 |   for_each          = local.application_data.cw_log_groups
		16 |   name              = each.key
		17 |   retention_in_days = each.value.retention_days
		18 | 
		19 |   tags = merge(
		20 |     local.tags,
		21 |     {
		22 |       Name = each.key
		23 |     },
		24 |   )
		25 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /cloudwatch.tf:26-35

		26 | resource "aws_ssm_parameter" "cw_agent_config" {
		27 |   description = "cloud watch agent config"
		28 |   name        = "cloud-watch-config"
		29 |   type        = "String"
		30 |   value       = file("./templates/cw_agent_config.json")
		31 | 
		32 |   tags = merge(local.tags,
		33 |     { Name = "cw-config" }
		34 |   )
		35 | }

Check: CKV_AWS_283: "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource"
	FAILED for resource: aws_iam_policy_document.sns_topic_policy_ec2cw
	File: /data.tf:75-98

		75 | data "aws_iam_policy_document" "sns_topic_policy_ec2cw" {
		76 |   policy_id = "SnsTopicId"
		77 |   statement {
		78 |     sid = "statement1"
		79 |     principals {
		80 |       type        = "AWS"
		81 |       identifiers = ["*"]
		82 |     }
		83 |     effect = "Allow"
		84 |     actions = [
		85 |       "SNS:GetTopicAttributes",
		86 |       "SNS:SetTopicAttributes",
		87 |       "SNS:AddPermission",
		88 |       "SNS:DeleteTopic",
		89 |       "SNS:Subscribe",
		90 |       "SNS:ListSubscriptionsByTopic",
		91 |       "SNS:Publish",
		92 |       "SNS:Receive"
		93 |     ]
		94 |     resources = [
		95 |       aws_sns_topic.cw_alerts.arn
		96 |     ]
		97 |   }
		98 | }

Check: CKV_AWS_283: "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource"
	FAILED for resource: aws_iam_policy_document.sns_topic_policy_s3
	File: /data.tf:100-123

		100 | data "aws_iam_policy_document" "sns_topic_policy_s3" {
		101 |   policy_id = "SnsTopicId"
		102 |   statement {
		103 |     sid = "statement1"
		104 |     principals {
		105 |       type        = "AWS"
		106 |       identifiers = ["*"]
		107 |     }
		108 |     effect = "Allow"
		109 |     actions = [
		110 |       "SNS:GetTopicAttributes",
		111 |       "SNS:SetTopicAttributes",
		112 |       "SNS:AddPermission",
		113 |       "SNS:DeleteTopic",
		114 |       "SNS:Subscribe",
		115 |       "SNS:ListSubscriptionsByTopic",
		116 |       "SNS:Publish",
		117 |       "SNS:Receive"
		118 |     ]
		119 |     resources = [
		120 |       aws_sns_topic.s3_topic.arn
		121 |     ]
		122 |   }
		123 | }

Check: CKV_AWS_283: "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource"
	FAILED for resource: aws_iam_policy_document.sns_topic_policy_ddos
	File: /data.tf:125-148

		125 | data "aws_iam_policy_document" "sns_topic_policy_ddos" {
		126 |   policy_id = "SnsTopicId"
		127 |   statement {
		128 |     sid = "statement1"
		129 |     principals {
		130 |       type        = "AWS"
		131 |       identifiers = ["*"]
		132 |     }
		133 |     effect = "Allow"
		134 |     actions = [
		135 |       "SNS:GetTopicAttributes",
		136 |       "SNS:SetTopicAttributes",
		137 |       "SNS:AddPermission",
		138 |       "SNS:DeleteTopic",
		139 |       "SNS:Subscribe",
		140 |       "SNS:ListSubscriptionsByTopic",
		141 |       "SNS:Publish",
		142 |       "SNS:Receive"
		143 |     ]
		144 |     resources = [
		145 |       aws_sns_topic.ddos_alarm.arn
		146 |     ]
		147 |   }
		148 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /data_lifecycle_manager.tf:22-51

		22 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		23 |   count = local.is-production ? 0 : 1
		24 |   name  = "dlm-lifecycle-policy"
		25 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		26 | 
		27 |   policy = <<EOF
		28 | {
		29 |    "Version": "2012-10-17",
		30 |    "Statement": [
		31 |       {
		32 |          "Effect": "Allow",
		33 |          "Action": [
		34 |             "ec2:CreateSnapshot",
		35 |             "ec2:DeleteSnapshot",
		36 |             "ec2:DescribeVolumes",
		37 |             "ec2:DescribeSnapshots"
		38 |          ],
		39 |          "Resource": "*"
		40 |       },
		41 |       {
		42 |          "Effect": "Allow",
		43 |          "Action": [
		44 |             "ec2:CreateTags"
		45 |          ],
		46 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		47 |       }
		48 |    ]
		49 | }
		50 | EOF
		51 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_clamav
	File: /ec2_clamav.tf:3-83
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ec2_ftp.tf:2-133
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ec2_mailrelay.tf:2-50
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		2  | resource "aws_instance" "ec2_mailrelay" {
		3  |   instance_type          = local.application_data.accounts[local.environment].ec2_instance_type_mailrelay
		4  |   ami                    = local.application_data.accounts[local.environment].mailrelay_ami_id
		5  |   key_name               = local.application_data.accounts[local.environment].key_name
		6  |   vpc_security_group_ids = [aws_security_group.ec2_sg_mailrelay.id]
		7  |   subnet_id              = local.environment == "development" ? data.aws_subnet.data_subnets_a.id : data.aws_subnet.private_subnets_a.id
		8  |   #subnet_id                   = data.aws_subnet.data_subnets_a.id
		9  |   monitoring                  = true
		10 |   ebs_optimized               = false
		11 |   associate_public_ip_address = false
		12 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
		13 | 
		14 |   # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below
		15 |   lifecycle {
		16 |     ignore_changes = [ebs_block_device, root_block_device]
		17 |   }
		18 | 
		19 |   user_data_replace_on_change = true
		20 |   user_data = base64encode(templatefile("./templates/ec2_user_data_mailrelay.sh", {
		21 |     hostname  = "mailrelay"
		22 |     mp_fqdn   = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
		23 |     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"
		24 |   }))
		25 | 
		26 |   metadata_options {
		27 |     http_endpoint = "enabled"
		28 |     http_tokens   = "required"
		29 |   }
		30 | 
		31 |   # Increase the volume size of the root volume
		32 |   root_block_device {
		33 |     volume_type = "gp3"
		34 |     volume_size = 50
		35 |     iops        = 3000
		36 |     encrypted   = true
		37 |     kms_key_id  = data.aws_kms_key.ebs_shared.key_id
		38 |     tags = merge(local.tags,
		39 |       { Name = "root-block" }
		40 |     )
		41 |   }
		42 | 
		43 |   tags = merge(local.tags,
		44 |     { Name = lower(format("ec2-%s-%s-mailrelay", local.application_name, local.environment)) },
		45 |     { instance-scheduling = "skip-scheduling" },
		46 |     { backup = "true" }
		47 |   )
		48 | 
		49 |   depends_on = [aws_security_group.ec2_sg_mailrelay]
		50 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ec2_oracle_accessgate.tf:1-103
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ec2_oracle_accessgate.tf:1-103
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ec2_oracle_ebs.tf:2-91
	Guide: https://docs.bridgecrew.io/docs/general_13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ec2_oracle_ebs.tf:2-91
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ec2_oracle_ebs_apps.tf:1-115
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ec2_oracle_ebs_apps.tf:1-115
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs_dr
	File: /ec2_oracle_ebs_dr_testing.tf:2-72
	Guide: https://docs.bridgecrew.io/docs/general_13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs_dr
	File: /ec2_oracle_ebs_dr_testing.tf:2-72
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ec2_oracle_webgate.tf:1-103
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ec2_oracle_webgate.tf:1-103
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /nlb.tf:19-45
	Guide: https://docs.bridgecrew.io/docs/bc_aws_logging_22

		19 | resource "aws_lb" "ebsapps_nlb" {
		20 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		21 |   internal           = false
		22 |   load_balancer_type = "network"
		23 | 
		24 |   enable_deletion_protection       = true
		25 |   enable_cross_zone_load_balancing = true
		26 | 
		27 |   subnet_mapping {
		28 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		29 |     allocation_id = aws_eip.ebs_eip[0].id
		30 |   }
		31 | 
		32 |   subnet_mapping {
		33 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		34 |     allocation_id = aws_eip.ebs_eip[1].id
		35 |   }
		36 | 
		37 |   subnet_mapping {
		38 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		39 |     allocation_id = aws_eip.ebs_eip[2].id
		40 |   }
		41 | 
		42 |   tags = merge(local.tags,
		43 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		44 |   )
		45 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /nlb.tf:98-124
	Guide: https://docs.bridgecrew.io/docs/bc_aws_logging_22

		98  | resource "aws_lb" "webgate_nlb" {
		99  |   name               = lower(format("public-nlb-webgate"))
		100 |   internal           = false
		101 |   load_balancer_type = "network"
		102 | 
		103 |   enable_deletion_protection       = true
		104 |   enable_cross_zone_load_balancing = true
		105 | 
		106 |   subnet_mapping {
		107 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		108 |     allocation_id = aws_eip.webgate_eip[0].id
		109 |   }
		110 | 
		111 |   subnet_mapping {
		112 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		113 |     allocation_id = aws_eip.webgate_eip[1].id
		114 |   }
		115 | 
		116 |   subnet_mapping {
		117 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		118 |     allocation_id = aws_eip.webgate_eip[2].id
		119 |   }
		120 | 
		121 |   tags = merge(local.tags,
		122 |     { Name = lower(format("public-nlb-webgate")) }
		123 |   )
		124 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /secrets.tf:3-10
	Guide: https://docs.bridgecrew.io/docs/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /secrets.tf:12-19
	Guide: https://docs.bridgecrew.io/docs/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /sns.tf:2-5
	Guide: https://docs.bridgecrew.io/docs/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /sns.tf:34-37
	Guide: https://docs.bridgecrew.io/docs/general_15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /waf.tf:52-91
	Guide: https://docs.bridgecrew.io/docs/ensure-waf-prevents-message-lookup-in-log4j2

		52 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		53 |   name        = "ebs_waf"
		54 |   scope       = "REGIONAL"
		55 |   description = "AWS WAF Web ACL for EBS"
		56 | 
		57 |   default_action {
		58 |     block {}
		59 |   }
		60 | 
		61 |   rule {
		62 |     name = "ebs-trusted-rule"
		63 | 
		64 |     priority = 1
		65 |     action {
		66 |       allow {}
		67 |     }
		68 | 
		69 |     statement {
		70 |       ip_set_reference_statement {
		71 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		72 |       }
		73 |     }
		74 | 
		75 |     visibility_config {
		76 |       cloudwatch_metrics_enabled = true
		77 |       metric_name                = "ebs_waf_metrics"
		78 |       sampled_requests_enabled   = true
		79 |     }
		80 |   }
		81 | 
		82 |   tags = merge(local.tags,
		83 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		84 |   )
		85 | 
		86 |   visibility_config {
		87 |     cloudwatch_metrics_enabled = true
		88 |     metric_name                = "ebs_waf_metrics"
		89 |     sampled_requests_enabled   = true
		90 |   }
		91 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /waf.tf:93-100
	Guide: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		93  | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		94  |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		95  |   retention_in_days = 30
		96  | 
		97  |   tags = merge(local.tags,
		98  |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		99  |   )
		100 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /waf.tf:93-100

		93  | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		94  |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		95  |   retention_in_days = 30
		96  | 
		97  |   tags = merge(local.tags,
		98  |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		99  |   )
		100 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /cloudwatch.tf:26-35
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-ssm-parameter-is-encrypted

		26 | resource "aws_ssm_parameter" "cw_agent_config" {
		27 |   description = "cloud watch agent config"
		28 |   name        = "cloud-watch-config"
		29 |   type        = "String"
		30 |   value       = file("./templates/cw_agent_config.json")
		31 | 
		32 |   tags = merge(local.tags,
		33 |     { Name = "cw-config" }
		34 |   )
		35 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.ebsapps_listener
	File: /alb.tf:21-37
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_43

		21 | resource "aws_lb_listener" "ebsapps_listener" {
		22 |   count = local.is-production ? 1 : 1
		23 |   depends_on = [
		24 |     aws_acm_certificate_validation.external
		25 |   ]
		26 | 
		27 |   load_balancer_arn = aws_lb.ebsapps_lb.arn
		28 |   port              = "443"
		29 |   protocol          = "HTTPS"
		30 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		31 |   certificate_arn   = data.aws_acm_certificate.gandi_cert.arn
		32 | 
		33 |   default_action {
		34 |     type             = "forward"
		35 |     target_group_arn = aws_lb_target_group.ebsapp_tg.id
		36 |   }
		37 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.webgate_listener
	File: /alb.tf:91-107
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_43

		91  | resource "aws_lb_listener" "webgate_listener" {
		92  |   count = local.is-production ? 1 : 1
		93  |   depends_on = [
		94  |     aws_acm_certificate_validation.external
		95  |   ]
		96  | 
		97  |   load_balancer_arn = aws_lb.webgate_lb[count.index].arn
		98  |   port              = "443"
		99  |   protocol          = "HTTPS"
		100 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		101 |   certificate_arn   = local.cert_arn
		102 | 
		103 |   default_action {
		104 |     type             = "forward"
		105 |     target_group_arn = aws_lb_target_group.webgate_tg[count.index].id
		106 |   }
		107 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.webgate_public_listener
	File: /alb.tf:153-169
	Guide: https://docs.bridgecrew.io/docs/bc_aws_general_43

		153 | resource "aws_lb_listener" "webgate_public_listener" {
		154 |   count = local.is-production ? 1 : 1
		155 |   depends_on = [
		156 |     aws_acm_certificate_validation.external
		157 |   ]
		158 | 
		159 |   load_balancer_arn = aws_lb.webgate_public_lb.arn
		160 |   port              = "443"
		161 |   protocol          = "HTTPS"
		162 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		163 |   certificate_arn   = data.aws_acm_certificate.gandi_cert.arn
		164 | 
		165 |   default_action {
		166 |     type             = "forward"
		167 |     target_group_arn = aws_lb_target_group.webgate_tg_public.id
		168 |   }
		169 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /nlb.tf:3-14
	Guide: https://docs.bridgecrew.io/docs/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		3  | resource "aws_eip" "ebs_eip" {
		4  |   count = local.is-production ? 6 : 3
		5  |   vpc   = true
		6  | 
		7  |   lifecycle {
		8  |     prevent_destroy = true
		9  |   }
		10 | 
		11 |   tags = merge(local.tags,
		12 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		13 |   )
		14 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /nlb.tf:82-93
	Guide: https://docs.bridgecrew.io/docs/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		82 | resource "aws_eip" "webgate_eip" {
		83 |   count = local.is-production ? 6 : 3
		84 |   vpc   = true
		85 | 
		86 |   lifecycle {
		87 |     prevent_destroy = true
		88 |   }
		89 | 
		90 |   tags = merge(local.tags,
		91 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		92 |   )
		93 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /secrets.tf:3-10

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /secrets.tf:12-19

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /sns.tf:2-5

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }


checkov_exitcode=1

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
WARNING: "tflint FILE/DIR" is deprecated and will error in a future version. Use --chdir or --filter instead.
1 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on github/workspace/terraform/environments/ccms-ebs/ec2_mailrelay.tf line 23:
  23:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

TFSEC will check the following folders:

*****************************

Checkov will check the following folders:

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

*****************************

TFSEC will check the following folders:

*****************************

Checkov will check the following folders:

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

*****************************

TFSEC will check the following folders:

*****************************

Checkov will check the following folders:

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

*****************************

TFSEC will check the following folders:

*****************************

Checkov will check the following folders:

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

*****************************

TFSEC will check the following folders:

*****************************

Checkov will check the following folders:

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

*****************************

TFSEC will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running TFSEC in terraform/environments/delius-jitbit
Excluding the following checks: AWS095

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:68
────────────────────────────────────────────────────────────────────────────────
   62    resource "aws_security_group_rule" "allow_all_egress" {
   63      description       = "Allow all outbound traffic to any IPv4 address"
   64      type              = "egress"
   65      from_port         = 0
   66      to_port           = 0
   67      protocol          = "-1"
   68  [   cidr_blocks       = ["0.0.0.0/0"]
   69      security_group_id = aws_security_group.jitbit.id
   70    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-6 CRITICAL Security group rule allows ingress from public internet. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  lb.tf:36-43
────────────────────────────────────────────────────────────────────────────────
   26    resource "aws_security_group" "load_balancer_security_group" {
   ..  
   36  ┌     cidr_blocks = [
   37  │       "81.134.202.29/32", # MoJ Digital VPN
   38  │       "195.59.75.0/24",   # ARK internet (DOM1)
   39  │       "194.33.192.0/25",  # ARK internet (DOM1)
   40  │       "194.33.193.0/25",  # ARK internet (DOM1)
   41  │       "194.33.196.0/25",  # ARK internet (DOM1)
   42  └       "194.33.197.0/25"   # ARK internet (DOM1)
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - lb.tf:26-60 (aws_security_group.load_balancer_security_group) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  iam.tf:101
────────────────────────────────────────────────────────────────────────────────
   98    data "aws_iam_policy_document" "ecs_exec" {
   ..  
  101  [     resources = ["*"]
  ...  
  114    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  iam.tf:40
────────────────────────────────────────────────────────────────────────────────
   37    data "aws_iam_policy_document" "ecs_service_policy" {
   ..  
   40  [     resources = ["*"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-10 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  iam.tf:42-50
────────────────────────────────────────────────────────────────────────────────
   37    data "aws_iam_policy_document" "ecs_service_policy" {
   38      statement {
   39        effect    = "Allow"
   40        resources = ["*"]
   41    
   42  ┌     actions = [
   43  │       "elasticloadbalancing:Describe*",
   44  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   45  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - iam.tf:37-52 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #11 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  monitoring.tf:2-4
────────────────────────────────────────────────────────────────────────────────
    2    resource "aws_sns_topic" "jitbit_alerting" {
    3      name = "jitbit_alerting"
    4    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH Root block device is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  onprem_gateway.tf:89-109
────────────────────────────────────────────────────────────────────────────────
   89  ┌ resource "aws_instance" "onprem_gateway" {
   90  │   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
   91  │   # Specify the instance type and ami to be used (this is the Amazon free tier option)
   92  │   instance_type               = "t3.small"
   93  │   ami                         = data.aws_ami.onprem_gateway_windows.id
   94  │   vpc_security_group_ids      = [aws_security_group.onprem_gateway.id]
   95  │   subnet_id                   = data.aws_subnet.private_subnets_a.id
   96  │   iam_instance_profile        = aws_iam_instance_profile.onprem_gateway.name
   97  └   associate_public_ip_address = false
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enable-at-rest-encryption
      Impact The block device could be compromised and read from
  Resolution Turn on encryption for all block devices

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enable-at-rest-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices
────────────────────────────────────────────────────────────────────────────────


Result #13 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:49
────────────────────────────────────────────────────────────────────────────────
   49      deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #14 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:82-85
────────────────────────────────────────────────────────────────────────────────
   82    resource "aws_cloudwatch_log_group" "jitbit" {
   83      name              = format("%s-ecs", local.application_name)
   84      retention_in_days = 30
   85    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #15 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  monitoring_app.tf:1-6
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_cloudwatch_log_group" "app_logs" {
    2      name              = "delius-jitbit-app"
    3      retention_in_days = 30
    4    
    5      tags = local.tags
    6    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.264434ms
  parsing              3.138350265s
  adaptation           2.63347ms
  checks               44.74239ms
  total                3.186990559s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    6
  blocks processed     274
  files read           45

  results
  ──────────────────────────────────────────
  passed               66
  ignored              36
  critical             6
  high                 6
  medium               1
  low                  2

  66 passed, 36 ignored, 15 potential problem(s) detected.

tfsec_exitcode=1

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Checkov in terraform/environments/delius-jitbit
2023-06-01 16:08:25,544 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v3.0.7:None (for external modules, the --download-external-modules flag is required)
2023-06-01 16:08:25,544 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v1.0.0:None (for external modules, the --download-external-modules flag is required)
2023-06-01 16:08:25,544 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v1.0.0:None (for external modules, the --download-external-modules flag is required)
2023-06-01 16:08:25,544 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.2.0:None (for external modules, the --download-external-modules flag is required)
2023-06-01 16:08:25,552 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v6.4.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 185, Failed checks: 17, Skipped checks: 10

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:82-85
	Guide: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "jitbit" {
		83 |   name              = format("%s-ecs", local.application_name)
		84 |   retention_in_days = 30
		85 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:82-85

		82 | resource "aws_cloudwatch_log_group" "jitbit" {
		83 |   name              = format("%s-ecs", local.application_name)
		84 |   retention_in_days = 30
		85 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:2-4
	Guide: https://docs.bridgecrew.io/docs/general_15

		2 | resource "aws_sns_topic" "jitbit_alerting" {
		3 |   name = "jitbit_alerting"
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-app"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-app"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: aws_instance.onprem_gateway
	File: /onprem_gateway.tf:89-109
	Guide: https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		89  | resource "aws_instance" "onprem_gateway" {
		90  |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		91  |   # Specify the instance type and ami to be used (this is the Amazon free tier option)
		92  |   instance_type               = "t3.small"
		93  |   ami                         = data.aws_ami.onprem_gateway_windows.id
		94  |   vpc_security_group_ids      = [aws_security_group.onprem_gateway.id]
		95  |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		96  |   iam_instance_profile        = aws_iam_instance_profile.onprem_gateway.name
		97  |   associate_public_ip_address = false
		98  |   monitoring                  = false
		99  |   ebs_optimized               = false
		100 | 
		101 |   metadata_options {
		102 |     http_endpoint = "enabled"
		103 |     http_tokens   = "required"
		104 |   }
		105 | 
		106 |   tags = merge(local.tags,
		107 |     { Name = lower(local.on_prem_dgw_name) }
		108 |   )
		109 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.onprem_gateway
	File: /onprem_gateway.tf:89-109
	Guide: https://docs.bridgecrew.io/docs/general_13

		89  | resource "aws_instance" "onprem_gateway" {
		90  |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		91  |   # Specify the instance type and ami to be used (this is the Amazon free tier option)
		92  |   instance_type               = "t3.small"
		93  |   ami                         = data.aws_ami.onprem_gateway_windows.id
		94  |   vpc_security_group_ids      = [aws_security_group.onprem_gateway.id]
		95  |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		96  |   iam_instance_profile        = aws_iam_instance_profile.onprem_gateway.name
		97  |   associate_public_ip_address = false
		98  |   monitoring                  = false
		99  |   ebs_optimized               = false
		100 | 
		101 |   metadata_options {
		102 |     http_endpoint = "enabled"
		103 |     http_tokens   = "required"
		104 |   }
		105 | 
		106 |   tags = merge(local.tags,
		107 |     { Name = lower(local.on_prem_dgw_name) }
		108 |   )
		109 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.onprem_gateway
	File: /onprem_gateway.tf:89-109
	Guide: https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized

		89  | resource "aws_instance" "onprem_gateway" {
		90  |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		91  |   # Specify the instance type and ami to be used (this is the Amazon free tier option)
		92  |   instance_type               = "t3.small"
		93  |   ami                         = data.aws_ami.onprem_gateway_windows.id
		94  |   vpc_security_group_ids      = [aws_security_group.onprem_gateway.id]
		95  |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		96  |   iam_instance_profile        = aws_iam_instance_profile.onprem_gateway.name
		97  |   associate_public_ip_address = false
		98  |   monitoring                  = false
		99  |   ebs_optimized               = false
		100 | 
		101 |   metadata_options {
		102 |     http_endpoint = "enabled"
		103 |     http_tokens   = "required"
		104 |   }
		105 | 
		106 |   tags = merge(local.tags,
		107 |     { Name = lower(local.on_prem_dgw_name) }
		108 |   )
		109 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:36-75

		36 | resource "aws_db_instance" "jitbit" {
		37 |   engine         = "sqlserver-se"
		38 |   license_model  = "license-included"
		39 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		40 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		41 |   identifier     = "${local.application_name}-${local.environment}-database"
		42 |   username       = local.application_data.accounts[local.environment].db_user
		43 |   password       = aws_secretsmanager_secret_version.db_admin_password.secret_string
		44 | 
		45 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		46 | 
		47 |   # tflint-ignore: aws_db_instance_default_parameter_group
		48 |   parameter_group_name        = "default.sqlserver-se-15.0"
		49 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		50 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		51 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		52 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		53 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		54 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		55 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		56 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		57 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		58 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		59 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		60 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		61 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		62 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		63 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		64 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		65 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		66 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		67 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		68 |   storage_encrypted               = true
		69 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		70 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		71 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		72 |   tags = merge(local.tags,
		73 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		74 |   )
		75 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:36-75

		36 | resource "aws_db_instance" "jitbit" {
		37 |   engine         = "sqlserver-se"
		38 |   license_model  = "license-included"
		39 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		40 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		41 |   identifier     = "${local.application_name}-${local.environment}-database"
		42 |   username       = local.application_data.accounts[local.environment].db_user
		43 |   password       = aws_secretsmanager_secret_version.db_admin_password.secret_string
		44 | 
		45 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		46 | 
		47 |   # tflint-ignore: aws_db_instance_default_parameter_group
		48 |   parameter_group_name        = "default.sqlserver-se-15.0"
		49 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		50 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		51 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		52 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		53 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		54 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		55 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		56 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		57 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		58 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		59 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		60 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		61 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		62 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		63 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		64 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		65 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		66 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		67 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		68 |   storage_encrypted               = true
		69 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		70 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		71 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		72 |   tags = merge(local.tags,
		73 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		74 |   )
		75 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_admin_password
	File: /secrets.tf:12-22

		12 | resource "aws_secretsmanager_secret" "db_admin_password" {
		13 |   #checkov:skip=CKV_AWS_149
		14 |   name                    = "${var.networking[0].application}-db-admin-password"
		15 |   recovery_window_in_days = 0
		16 |   tags = merge(
		17 |     local.tags,
		18 |     {
		19 |       Name = "${var.networking[0].application}-db-admin-password"
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:34-44

		34 | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		35 |   #checkov:skip=CKV_AWS_149
		36 |   name                    = "${var.networking[0].application}-app-connection-string"
		37 |   recovery_window_in_days = 0
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "${var.networking[0].application}-app-connection-string"
		42 |     },
		43 |   )
		44 | }


checkov_exitcode=1

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
WARNING: "tflint FILE/DIR" is deprecated and will error in a future version. Use --chdir or --filter instead.
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on github/workspace/terraform/environments/delius-jitbit/secrets.tf line 4:
   4: resource "random_password" "db_admin_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

TFSEC will check the following folders:

*****************************

Checkov will check the following folders:

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

*****************************

TFSEC will check the following folders:
terraform/environments/oasys/ssm-documents/templates

*****************************

Running TFSEC in terraform/environments/oasys/ssm-documents/templates
Skipping folder as path name contains *templates*

*****************************

Checkov will check the following folders:
terraform/environments/oasys/ssm-documents/templates

*****************************

Running Checkov in terraform/environments/oasys/ssm-documents/templates
Skipping folder as path name contains *templates*

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/oasys/ssm-documents/templates

*****************************

Running tflint in terraform/environments/oasys/ssm-documents/templates
Skipping folder as path name contains *templates*
tflint_exitcode=0

*****************************

TFSEC will check the following folders:
terraform/environments/oasys/ssm-documents/templates

*****************************

Running TFSEC in terraform/environments/oasys/ssm-documents/templates
Skipping folder as path name contains *templates*

*****************************

Checkov will check the following folders:
terraform/environments/oasys/ssm-documents/templates

*****************************

Running Checkov in terraform/environments/oasys/ssm-documents/templates
Skipping folder as path name contains *templates*

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/oasys/ssm-documents/templates

*****************************

Running tflint in terraform/environments/oasys/ssm-documents/templates
Skipping folder as path name contains *templates*
tflint_exitcode=0