add ports for AD inbound to security groups #3295

robertsweetman · 2023-09-06T09:44:02Z

137, 138 UDP and 139 TCP for NetBios
9389 TCP Active Directory Web Services
389 UDP for LDAP Server

github-actions · 2023-09-06T09:46:42Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/nomis terraform/environments/nomis/templates terraform/modules/baseline_presets

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             1.971835ms
  parsing              307.642472ms
  adaptation           637.109µs
  checks               20.329789ms
  total                330.581205ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     273
  files read           73

  results
  ──────────────────────────────────────────
  passed               39
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/environments/nomis/templates
Skipping folder as path name contains *templates*

*****************************

Running TFSEC in terraform/modules/baseline_presets
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             372.602µs
  parsing              32.892368ms
  adaptation           91.001µs
  checks               8.298518ms
  total                41.654489ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     37
  files read           17

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/nomis terraform/environments/nomis/templates terraform/modules/baseline_presets

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 122, Failed checks: 17, Skipped checks: 4

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:322-370

		322 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		323 |   statement {
		324 |     sid    = "AllowReadingMetricsFromCloudWatch"
		325 |     effect = "Allow"
		326 |     actions = [
		327 |       "cloudwatch:DescribeAlarmsForMetric",
		328 |       "cloudwatch:DescribeAlarmHistory",
		329 |       "cloudwatch:DescribeAlarms",
		330 |       "cloudwatch:ListMetrics",
		331 |       "cloudwatch:GetMetricData",
		332 |       "cloudwatch:GetInsightRuleReport"
		333 |     ]
		334 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		335 |     resources = ["*"]
		336 |   }
		337 |   statement {
		338 |     sid    = "AllowReadingLogsFromCloudWatch"
		339 |     effect = "Allow"
		340 |     actions = [
		341 |       "logs:DescribeLogGroups",
		342 |       "logs:GetLogGroupFields",
		343 |       "logs:StartQuery",
		344 |       "logs:StopQuery",
		345 |       "logs:GetQueryResults",
		346 |       "logs:GetLogEvents"
		347 |     ]
		348 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		349 |     resources = ["*"]
		350 |   }
		351 |   statement {
		352 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		353 |     effect = "Allow"
		354 |     actions = [
		355 |       "ec2:DescribeTags",
		356 |       "ec2:DescribeInstances",
		357 |       "ec2:DescribeRegions"
		358 |     ]
		359 |     resources = ["*"]
		360 |   }
		361 |   statement {
		362 |     sid    = "AllowReadingResourcesForTags"
		363 |     effect = "Allow"
		364 |     actions = [
		365 |       "tag:GetResources"
		366 |     ]
		367 |     resources = ["*"]
		368 |   }
		369 | 
		370 | }

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-164

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-164

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-164

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/nomis/templates
Skipping folder as path name contains *templates*

*****************************

Running Checkov in terraform/modules/baseline_presets

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis terraform/environments/nomis/templates terraform/modules/baseline_presets

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 22:
  22:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 37:
  37:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 41:
  41:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 50:
  50:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 65:
  65:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 69:
  69:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/nomis/templates
Skipping folder as path name contains *templates*
tflint_exitcode=2

*****************************

Running tflint in terraform/modules/baseline_presets
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)

  on terraform/modules/baseline_presets/sns_topics.tf line 13:
  13: data "aws_ssm_parameter" "sns_topics_email" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/modules/baseline_presets/sns_topics.tf line 25:
  25:         "${key}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 1:
   1: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

Warning: `ip_addresses` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 5:
   5: variable "ip_addresses" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

github-actions · 2023-09-06T09:51:59Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/nomis terraform/environments/nomis/templates terraform/modules/baseline_presets

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             3.359007ms
  parsing              393.691973ms
  adaptation           551.102µs
  checks               23.876365ms
  total                421.478447ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     273
  files read           73

  results
  ──────────────────────────────────────────
  passed               39
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/environments/nomis/templates
Skipping folder as path name contains *templates*

*****************************

Running TFSEC in terraform/modules/baseline_presets
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             534.203µs
  parsing              24.752169ms
  adaptation           121.801µs
  checks               19.215352ms
  total                44.623525ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     37
  files read           17

  results
  ──────────────────────────────────────────
  passed               2
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/nomis terraform/environments/nomis/templates terraform/modules/baseline_presets

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 122, Failed checks: 17, Skipped checks: 4

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:322-370

		322 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		323 |   statement {
		324 |     sid    = "AllowReadingMetricsFromCloudWatch"
		325 |     effect = "Allow"
		326 |     actions = [
		327 |       "cloudwatch:DescribeAlarmsForMetric",
		328 |       "cloudwatch:DescribeAlarmHistory",
		329 |       "cloudwatch:DescribeAlarms",
		330 |       "cloudwatch:ListMetrics",
		331 |       "cloudwatch:GetMetricData",
		332 |       "cloudwatch:GetInsightRuleReport"
		333 |     ]
		334 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		335 |     resources = ["*"]
		336 |   }
		337 |   statement {
		338 |     sid    = "AllowReadingLogsFromCloudWatch"
		339 |     effect = "Allow"
		340 |     actions = [
		341 |       "logs:DescribeLogGroups",
		342 |       "logs:GetLogGroupFields",
		343 |       "logs:StartQuery",
		344 |       "logs:StopQuery",
		345 |       "logs:GetQueryResults",
		346 |       "logs:GetLogEvents"
		347 |     ]
		348 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		349 |     resources = ["*"]
		350 |   }
		351 |   statement {
		352 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		353 |     effect = "Allow"
		354 |     actions = [
		355 |       "ec2:DescribeTags",
		356 |       "ec2:DescribeInstances",
		357 |       "ec2:DescribeRegions"
		358 |     ]
		359 |     resources = ["*"]
		360 |   }
		361 |   statement {
		362 |     sid    = "AllowReadingResourcesForTags"
		363 |     effect = "Allow"
		364 |     actions = [
		365 |       "tag:GetResources"
		366 |     ]
		367 |     resources = ["*"]
		368 |   }
		369 | 
		370 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-164

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-164

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-164

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/nomis/templates
Skipping folder as path name contains *templates*

*****************************

Running Checkov in terraform/modules/baseline_presets

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis terraform/environments/nomis/templates terraform/modules/baseline_presets

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 22:
  22:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 37:
  37:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 41:
  41:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 50:
  50:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 65:
  65:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 69:
  69:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/nomis/templates
Skipping folder as path name contains *templates*
tflint_exitcode=2

*****************************

Running tflint in terraform/modules/baseline_presets
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)

  on terraform/modules/baseline_presets/sns_topics.tf line 13:
  13: data "aws_ssm_parameter" "sns_topics_email" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/modules/baseline_presets/sns_topics.tf line 25:
  25:         "${key}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 1:
   1: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

Warning: `ip_addresses` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 5:
   5: variable "ip_addresses" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

add ports for AD inbound to security groups

10348ce

robertsweetman requested review from a team as code owners September 6, 2023 09:44

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 6, 2023

robertsweetman had a problem deploying to corporate-staff-rostering-development September 6, 2023 09:46 — with GitHub Actions Failure

robertsweetman had a problem deploying to corporate-staff-rostering-test September 6, 2023 09:46 — with GitHub Actions Failure

formatting

dde3725

robertsweetman had a problem deploying to corporate-staff-rostering-test September 6, 2023 09:50 — with GitHub Actions Failure

robertsweetman had a problem deploying to corporate-staff-rostering-development September 6, 2023 09:50 — with GitHub Actions Failure

keirwilliams approved these changes Sep 6, 2023

View reviewed changes

robertsweetman merged commit 15e0f9e into main Sep 6, 2023

robertsweetman deleted the csr/ports-for-ad branch September 6, 2023 09:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add ports for AD inbound to security groups #3295

add ports for AD inbound to security groups #3295

robertsweetman commented Sep 6, 2023

github-actions bot commented Sep 6, 2023

github-actions bot commented Sep 6, 2023

add ports for AD inbound to security groups #3295

add ports for AD inbound to security groups #3295

Conversation

robertsweetman commented Sep 6, 2023

github-actions bot commented Sep 6, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Sep 6, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed