nomis: DSOS-2205: updated SSM parameters

[drobinson-moj]

Corrected DB names following discussion with Sandhya.
Added Azure param for Sas token.

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/hmpps-oem terraform/environments/nomis-combined-reporting terraform/environments/nomis-data-hub terraform/environments/oasys terraform/environments/planetfm

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.692031ms
  parsing              217.108613ms
  adaptation           123.102µs
  checks               8.000345ms
  total                226.924091ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     266
  files read           70

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/environments/hmpps-oem
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.542627ms
  parsing              178.422514ms
  adaptation           148.203µs
  checks               15.721783ms
  total                195.835127ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     265
  files read           70

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/environments/nomis-combined-reporting
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.598523ms
  parsing              247.242455ms
  adaptation           195.004µs
  checks               9.741375ms
  total                258.777357ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     266
  files read           73

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.655828ms
  parsing              237.394477ms
  adaptation           150.703µs
  checks               8.015744ms
  total                247.216752ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     263
  files read           68

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/environments/oasys
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.629238ms
  parsing              310.849ms
  adaptation           169.603µs
  checks               8.996462ms
  total                321.644303ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     264
  files read           69

  results
  ──────────────────────────────────────────
  passed               7
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.524427ms
  parsing              202.204842ms
  adaptation           126.202µs
  checks               7.819937ms
  total                211.675408ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     264
  files read           69

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/hmpps-oem terraform/environments/nomis-combined-reporting terraform/environments/nomis-data-hub terraform/environments/oasys terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 92, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/hmpps-oem
terraform scan results:

Passed checks: 90, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/nomis-combined-reporting
terraform scan results:

Passed checks: 90, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 12, Skipped checks: 19

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:93-103

		93  | resource "aws_ssm_parameter" "ndh_secrets" {
		94  |   for_each = toset(local.ndh_secrets)
		95  |   name     = each.value
		96  |   type     = "SecureString"
		97  |   value    = random_password.random_value.result
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value,
		101 |     ]
		102 |   }
		103 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/oasys
terraform scan results:

Passed checks: 90, Failed checks: 0, Skipped checks: 19


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 90, Failed checks: 0, Skipped checks: 19


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/hmpps-oem terraform/environments/nomis-combined-reporting terraform/environments/nomis-data-hub terraform/environments/oasys terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/hmpps-oem
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/nomis-combined-reporting
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 88:
  88: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/oasys
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2