Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dpl 1193 metadata api #3278

Merged
merged 14 commits into from
Sep 8, 2023
Merged

Dpl 1193 metadata api #3278

merged 14 commits into from
Sep 8, 2023

Conversation

LavMatt
Copy link
Contributor

@LavMatt LavMatt commented Sep 4, 2023

This adds infra related to the development of a create data product metadata endpoint:

  • api gateway required resources
  • new lambda function for new container image
  • iam permissions for new role for lambda to use
  • variables relating to the version of the lambda image

@LavMatt LavMatt requested review from a team September 4, 2023 12:27
@LavMatt LavMatt requested review from a team as code owners September 4, 2023 12:27
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 4, 2023
@LavMatt LavMatt had a problem deploying to data-platform-development September 4, 2023 12:29 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Sep 4, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@LavMatt LavMatt had a problem deploying to data-platform-development September 5, 2023 07:17 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@LavMatt LavMatt temporarily deployed to data-platform-development September 6, 2023 14:19 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

github-actions bot commented Sep 6, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             3.355267ms
  parsing              207.125731ms
  adaptation           121.803µs
  checks               15.684128ms
  total                226.286929ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     262
  files read           69

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 92, Failed checks: 14, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-134

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-134

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-134

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 23:
  23:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 27:
  27:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 52:
  52:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 56:
  56:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@LavMatt LavMatt temporarily deployed to data-platform-development September 6, 2023 14:37 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

github-actions bot commented Sep 6, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             1.452595ms
  parsing              212.75901ms
  adaptation           133.4µs
  checks               14.694638ms
  total                229.039643ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     262
  files read           69

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 92, Failed checks: 14, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-134

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-134

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-134

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 23:
  23:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 27:
  27:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 52:
  52:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 56:
  56:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@LavMatt LavMatt temporarily deployed to data-platform-development September 7, 2023 08:00 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

github-actions bot commented Sep 7, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             1.662521ms
  parsing              212.260206ms
  adaptation           181.703µs
  checks               14.517026ms
  total                228.621456ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     262
  files read           69

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 92, Failed checks: 14, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-134

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-134

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-134

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 23:
  23:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 27:
  27:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 52:
  52:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 56:
  56:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@LavMatt LavMatt had a problem deploying to data-platform-development September 7, 2023 09:38 — with GitHub Actions Failure
@LavMatt LavMatt temporarily deployed to data-platform-development September 7, 2023 09:49 — with GitHub Actions Inactive
@LavMatt LavMatt temporarily deployed to data-platform-development September 7, 2023 11:46 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

github-actions bot commented Sep 7, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/modules/baseline

*****************************

Running TFSEC in terraform/modules/baseline
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             801.204µs
  parsing              38.445285ms
  adaptation           91.701µs
  checks               7.002652ms
  total                46.340842ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     109
  files read           23

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/modules/baseline

*****************************

Running Checkov in terraform/modules/baseline
2023-09-07 11:47:40,144 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-07 11:47:40,144 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 11:47:40,144 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 11:47:40,145 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 11:47:40,145 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 84, Failed checks: 15, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.this
	File: /backups.tf:35-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux[0]
	File: /bastion_linux.tf:1-36

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_autoscaling_group
	File: /ec2_autoscaling_group.tf:13-85

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_instance
	File: /ec2_instance.tf:1-66

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lb
	File: /lb.tf:17-48

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket
	File: /s3_bucket.tf:29-55

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.lb_listener.aws_lb_listener.this
	File: /../lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.route53_resolver[0]
	File: /route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.fixed
	File: /ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.placeholder
	File: /ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.this
	File: /secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/modules/baseline

*****************************

Running tflint in terraform/modules/baseline
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/modules/baseline/secretsmanager.tf line 56:
  56: resource "random_password" "secrets" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline/variables.tf line 475:
 475: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

@LavMatt LavMatt had a problem deploying to data-platform-development September 7, 2023 13:01 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Sep 7, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

github-actions bot commented Sep 7, 2023

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running TFSEC in terraform/environments/delius-jitbit
Excluding the following checks: AWS095

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:70
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "allow_all_egress" {
   65      description       = "Allow all outbound traffic to any IPv4 address"
   66      type              = "egress"
   67      from_port         = 0
   68      to_port           = 0
   69      protocol          = "-1"
   70  [   cidr_blocks       = ["0.0.0.0/0"]
   71      security_group_id = aws_security_group.jitbit.id
   72    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-13 CRITICAL Security group rule allows ingress from public internet. (12 similar results)
────────────────────────────────────────────────────────────────────────────────
  lb.tf:36-54
────────────────────────────────────────────────────────────────────────────────
   26    resource "aws_security_group" "load_balancer_security_group" {
   ..  
   36  ┌     cidr_blocks = [
   37"81.134.202.29/32",  # MoJ Digital VPN
   38"217.33.148.210/32", # Digital studio
   39"195.59.75.0/24",    # ARK internet (DOM1)
   40"194.33.192.0/25",   # ARK internet (DOM1)
   41"194.33.193.0/25",   # ARK internet (DOM1)
   42"194.33.196.0/25",   # ARK internet (DOM1)
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - lb.tf:26-81 (aws_security_group.load_balancer_security_group) 12 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Results #14-19 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  lb.tf:56-64
────────────────────────────────────────────────────────────────────────────────
   26    resource "aws_security_group" "load_balancer_security_group" {
   ..  
   56  ┌     ipv6_cidr_blocks = [
   57# Route53 Healthcheck Access Cidrs IPv6
   58"2406:da18:7ff:f800::/53",  # ap-southeast-1 Region
   59"2406:da18:fff:f800::/53",  # ap-southeast-1 Region
   60"2a05:d018:fff:f800::/53",  # eu-west-1 Region
   61"2a05:d018:7ff:f800::/53",  # eu-west-1 Region
   62"2600:1f18:7fff:f800::/53", # us-east-1 Region
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - lb.tf:26-81 (aws_security_group.load_balancer_security_group) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  iam.tf:101
────────────────────────────────────────────────────────────────────────────────
   98    data "aws_iam_policy_document" "ecs_exec" {
   ..  
  101  [     resources = ["*"]
  ...  
  114    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  iam.tf:40
────────────────────────────────────────────────────────────────────────────────
   37    data "aws_iam_policy_document" "ecs_service_policy" {
   ..  
   40  [     resources = ["*"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #22-23 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  iam.tf:42-50
────────────────────────────────────────────────────────────────────────────────
   37    data "aws_iam_policy_document" "ecs_service_policy" {
   38      statement {
   39        effect    = "Allow"
   40        resources = ["*"]
   41    
   42  ┌     actions = [
   43"elasticloadbalancing:Describe*",
   44"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   45"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - iam.tf:37-52 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  monitoring.tf:6-8
────────────────────────────────────────────────────────────────────────────────
    6    resource "aws_sns_topic" "jitbit_alerting" {
    7      name = "jitbit_alerting"
    8    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:50
────────────────────────────────────────────────────────────────────────────────
   50      deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #26 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:84-87
────────────────────────────────────────────────────────────────────────────────
   84    resource "aws_cloudwatch_log_group" "jitbit" {
   85      name              = format("%s-ecs", local.application_name)
   86      retention_in_days = 30
   87    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  monitoring_app.tf:1-6
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_cloudwatch_log_group" "app_logs" {
    2      name              = "delius-jitbit-app"
    3      retention_in_days = 30
    4    
    5      tags = local.tags
    6    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  waf.tf:59-63
────────────────────────────────────────────────────────────────────────────────
   59    resource "aws_cloudwatch_log_group" "waf" {
   60      name              = "aws-waf-logs-${local.application_name}"
   61      retention_in_days = 60
   62      tags              = local.tags
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.135711ms
  parsing              2.83498746s
  adaptation           5.789853ms
  checks               28.57766ms
  total                2.870490684s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    7
  blocks processed     315
  files read           51

  results
  ──────────────────────────────────────────
  passed               69
  ignored              39
  critical             19
  high                 5
  medium               1
  low                  3

  69 passed, 39 ignored, 28 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Checkov in terraform/environments/delius-jitbit
2023-09-07 13:15:44,475 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2023-09-07 13:15:44,476 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 13:15:44,476 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 13:15:44,476 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 23, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-37

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name          = "bastion"
		16 |   bucket_versioning    = true
		17 |   bucket_force_destroy = true
		18 |   # public keys
		19 |   public_key_data = local.public_key_data.keys[local.environment]
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 |   # bastion
		26 |   allow_ssh_commands = false
		27 | 
		28 |   app_name      = var.networking[0].application
		29 |   business_unit = local.vpc_name
		30 |   subnet_set    = local.subnet_set
		31 |   environment   = local.environment
		32 |   region        = "eu-west-2"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-app"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-app"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:36-88

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.this
	File: /waf.tf:1-53
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:36-88

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@LavMatt LavMatt had a problem deploying to data-platform-development September 7, 2023 14:40 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Sep 7, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/modules/baseline

*****************************

Running TFSEC in terraform/modules/baseline
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             622.598µs
  parsing              40.266163ms
  adaptation           91.699µs
  checks               8.015073ms
  total                48.995533ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     109
  files read           23

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/modules/baseline

*****************************

Running Checkov in terraform/modules/baseline
2023-09-07 14:41:57,225 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:41:57,225 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:41:57,225 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:41:57,226 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:41:57,226 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 83, Failed checks: 5, Skipped checks: 15

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.lb_listener.aws_lb_listener.this
	File: /../lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/modules/baseline

*****************************

Running tflint in terraform/modules/baseline
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline/variables.tf line 476:
 476: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

@LavMatt LavMatt had a problem deploying to data-platform-development September 7, 2023 14:51 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Sep 7, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/modules/baseline

*****************************

Running TFSEC in terraform/modules/baseline
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             729.319µs
  parsing              51.968237ms
  adaptation           96.102µs
  checks               9.715569ms
  total                62.509227ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     109
  files read           23

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/modules/baseline

*****************************

Running Checkov in terraform/modules/baseline
2023-09-07 14:52:59,022 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:52:59,022 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:52:59,022 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:52:59,023 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-07 14:52:59,023 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 83, Failed checks: 5, Skipped checks: 15

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.lb_listener.aws_lb_listener.this
	File: /../lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/modules/baseline

*****************************

Running tflint in terraform/modules/baseline
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline/variables.tf line 476:
 476: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

MatMoore
MatMoore previously approved these changes Sep 7, 2023
View reviewed changes
Copy link
Contributor

@MatMoore MatMoore left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just some minor suggestions.

terraform/environments/data-platform/api.tf Show resolved Hide resolved
terraform/environments/data-platform/api.tf Show resolved Hide resolved
terraform/environments/data-platform/iam.tf Outdated Show resolved Hide resolved
@LavMatt LavMatt had a problem deploying to data-platform-development September 8, 2023 07:18 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.665408ms
  parsing              195.20587ms
  adaptation           144.301µs
  checks               17.760497ms
  total                214.776076ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     263
  files read           69

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 91, Failed checks: 4, Skipped checks: 15

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 23:
  23:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 27:
  27:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 52:
  52:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 56:
  56:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@LavMatt LavMatt merged commit 1205fb6 into main Sep 8, 2023
8 of 10 checks passed
@LavMatt LavMatt deleted the dpl-1193-metadata-api branch September 8, 2023 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MatMoore MatMoore MatMoore approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LavMatt @MatMoore