Added logging for api #3266

murdo-moj · 2023-09-01T12:22:58Z

No description provided.

github-actions · 2023-09-01T12:25:54Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-01T14:07:04Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running TFSEC in terraform/environments/hmpps-domain-services
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             1.41228ms
  parsing              177.669887ms
  adaptation           150.998µs
  checks               8.40171ms
  total                187.634875ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           69

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running Checkov in terraform/environments/hmpps-domain-services
terraform scan results:

Passed checks: 92, Failed checks: 15, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-159
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-159

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-159

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-159

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-159

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-159
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-159

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-159

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.baseline.module.lb_listener.aws_lb_listener.this
	File: /../../modules/lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running tflint in terraform/environments/hmpps-domain-services
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-09-01T14:07:06Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running TFSEC in terraform/environments/hmpps-domain-services
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             2.471338ms
  parsing              234.492616ms
  adaptation           152.903µs
  checks               10.61795ms
  total                247.734807ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           69

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running Checkov in terraform/environments/hmpps-domain-services
terraform scan results:

Passed checks: 92, Failed checks: 15, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-159
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-159

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-159

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-159

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-159

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-159
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-159

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-159

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.baseline.module.lb_listener.aws_lb_listener.this
	File: /../../modules/lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running tflint in terraform/environments/hmpps-domain-services
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-09-04T15:03:35Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             1.833417ms
  parsing              215.229823ms
  adaptation           133.709µs
  checks               19.804027ms
  total                237.000976ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     262
  files read           69

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 92, Failed checks: 14, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-134

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-134

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-134

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 23:
  23:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 27:
  27:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 52:
  52:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 56:
  56:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

github-actions · 2023-09-05T10:21:07Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/modules/baseline

*****************************

Running TFSEC in terraform/modules/baseline
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             1.233024ms
  parsing              45.526439ms
  adaptation           80.601µs
  checks               8.407155ms
  total                55.247219ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     108
  files read           23

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/modules/baseline

*****************************

Running Checkov in terraform/modules/baseline
terraform scan results:

Passed checks: 84, Failed checks: 15, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.this
	File: /backups.tf:35-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux[0]
	File: /bastion_linux.tf:1-36

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_autoscaling_group
	File: /ec2_autoscaling_group.tf:13-77

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_instance
	File: /ec2_instance.tf:1-58

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lb
	File: /lb.tf:17-48

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket
	File: /s3_bucket.tf:29-55

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.lb_listener.aws_lb_listener.this
	File: /../lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.fixed
	File: /ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.placeholder
	File: /ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.this
	File: /secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.route53_resolver[0]
	File: /route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/modules/baseline

*****************************

Running tflint in terraform/modules/baseline
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/modules/baseline/ssm.tf line 49:
  49: resource "random_password" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline/variables.tf line 467:
 467: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

murdo-moj · 2023-09-05T10:21:21Z

terraform/environments/data-platform/tests/test_data_upload.sh

+
+file="tiny_test_4.csv"
+file_md5=$(cat $file | openssl dgst -md5 -binary | base64)
+request_presigned_url="https://hsolkci589.execute-api.eu-west-2.amazonaws.com/development/upload_data"


this could be passed as a parameter on automation

github-actions · 2023-09-05T13:26:31Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/observability-platform

*****************************

Running TFSEC in terraform/environments/observability-platform
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             212.203µs
  parsing              5.691067ms
  adaptation           102.201µs
  checks               12.154043ms
  total                18.159514ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           10

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/observability-platform

*****************************

Running Checkov in terraform/environments/observability-platform
terraform scan results:

Passed checks: 7, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/observability-platform

*****************************

Running tflint in terraform/environments/observability-platform
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-09-05T13:28:21Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/observability-platform

*****************************

Running TFSEC in terraform/environments/observability-platform
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             190.802µs
  parsing              5.066833ms
  adaptation           104.5µs
  checks               14.532094ms
  total                19.894229ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           10

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/observability-platform

*****************************

Running Checkov in terraform/environments/observability-platform
terraform scan results:

Passed checks: 7, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/observability-platform

*****************************

Running tflint in terraform/environments/observability-platform
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-09-05T13:37:02Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/observability-platform

*****************************

Running TFSEC in terraform/environments/observability-platform
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             265.802µs
  parsing              9.335958ms
  adaptation           163.501µs
  checks               22.157336ms
  total                31.922597ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     41
  files read           10

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/observability-platform

*****************************

Running Checkov in terraform/environments/observability-platform
terraform scan results:

Passed checks: 7, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/observability-platform

*****************************

Running tflint in terraform/environments/observability-platform
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-09-05T14:30:30Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-05T14:37:02Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-06T08:34:04Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-06T14:58:47Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-06T15:01:52Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-12T12:38:16Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

murdo-moj requested review from a team September 1, 2023 12:22

murdo-moj requested review from a team as code owners September 1, 2023 12:22

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 1, 2023

murdo-moj had a problem deploying to data-platform-development September 1, 2023 12:24 — with GitHub Actions Failure

murdo-moj temporarily deployed to data-platform-development September 1, 2023 14:06 — with GitHub Actions Inactive

murdo-moj commented Sep 5, 2023

View reviewed changes

murdo-moj had a problem deploying to data-platform-test September 5, 2023 14:36 — with GitHub Actions Failure

murdo-moj had a problem deploying to data-platform-development September 5, 2023 14:36 — with GitHub Actions Failure

murdo-moj had a problem deploying to data-platform-development September 6, 2023 08:32 — with GitHub Actions Failure

murdo-moj had a problem deploying to data-platform-test September 6, 2023 08:33 — with GitHub Actions Failure

murdo-moj had a problem deploying to data-platform-development September 6, 2023 09:24 — with GitHub Actions Failure

murdo-moj had a problem deploying to data-platform-test September 6, 2023 09:24 — with GitHub Actions Failure

murdo-moj had a problem deploying to data-platform-development September 6, 2023 09:29 — with GitHub Actions Failure

murdo-moj temporarily deployed to data-platform-test September 6, 2023 09:29 — with GitHub Actions Inactive

murdo-moj had a problem deploying to data-platform-development September 6, 2023 14:57 — with GitHub Actions Failure

murdo-moj temporarily deployed to data-platform-test September 6, 2023 14:58 — with GitHub Actions Inactive

murdo-moj had a problem deploying to data-platform-test September 6, 2023 15:00 — with GitHub Actions Failure

murdo-moj had a problem deploying to data-platform-development September 6, 2023 15:01 — with GitHub Actions Failure

murdo-moj added 13 commits September 12, 2023 13:34

Added logging for api

2c61607

Removing api level logging

c068802

Adding to github workflow

4ee8613

Initial commit

4dd90a9

added a depends_on

67a11db

Changed depends_on

35db5c9

add more to depends on

992742b

added

12713ba

comment all the lambdas to create workgroup

1876267

try to get all envs to plan

a75f8ae

Create lambdas with non-dependent policies

60e9b8b

removed depends on

872277f

Added terratest and smoketest for data-platform

87ed965

murdo-moj force-pushed the pd-1321 branch from 4002bea to 87ed965 Compare September 12, 2023 12:35

murdo-moj closed this Sep 12, 2023

murdo-moj deleted the pd-1321 branch September 12, 2023 12:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added logging for api #3266

Added logging for api #3266

murdo-moj commented Sep 1, 2023

github-actions bot commented Sep 1, 2023

github-actions bot commented Sep 1, 2023

github-actions bot commented Sep 1, 2023

github-actions bot commented Sep 4, 2023

github-actions bot commented Sep 5, 2023

murdo-moj Sep 5, 2023

github-actions bot commented Sep 5, 2023

github-actions bot commented Sep 5, 2023

github-actions bot commented Sep 5, 2023

github-actions bot commented Sep 5, 2023

github-actions bot commented Sep 5, 2023

github-actions bot commented Sep 6, 2023

github-actions bot commented Sep 6, 2023

github-actions bot commented Sep 6, 2023

github-actions bot commented Sep 12, 2023

Added logging for api #3266

Added logging for api #3266

Conversation

murdo-moj commented Sep 1, 2023

github-actions bot commented Sep 1, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 1, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Sep 1, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Sep 4, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Sep 5, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

murdo-moj Sep 5, 2023

Choose a reason for hiding this comment

github-actions bot commented Sep 5, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 5, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 5, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 5, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 5, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 6, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 6, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 6, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 12, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success