Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add rename-computer and reboot #3572

Merged
merged 1 commit into from
Oct 5, 2023
Merged

add rename-computer and reboot #3572

merged 1 commit into from
Oct 5, 2023

Conversation

robertsweetman
Copy link
Contributor

  • rename and reboot if newName != $env:COMPUTERNAME
  • if/when this has changed, run Add-Computer

@robertsweetman robertsweetman requested review from a team as code owners October 5, 2023 07:56
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 5, 2023
@robertsweetman robertsweetman had a problem deploying to corporate-staff-rostering-test October 5, 2023 07:58 — with GitHub Actions Failure
@robertsweetman robertsweetman temporarily deployed to corporate-staff-rostering-development October 5, 2023 07:58 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

github-actions bot commented Oct 5, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@robertsweetman robertsweetman force-pushed the csr/domain-join-reboot branch from 03470dd to f4d80d4 Compare October 5, 2023 08:43
@robertsweetman robertsweetman had a problem deploying to corporate-staff-rostering-development October 5, 2023 08:44 — with GitHub Actions Failure
@robertsweetman robertsweetman had a problem deploying to corporate-staff-rostering-test October 5, 2023 08:45 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

github-actions bot commented Oct 5, 2023

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/delius-iaps

*****************************

Running TFSEC in terraform/environments/delius-iaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  cloudwatch-alarms.tf:2-4
────────────────────────────────────────────────────────────────────────────────
    2    resource "aws_sns_topic" "iaps_alerting" {
    3      name = "${local.application_name}-alerting"
    4    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #2 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   41      deletion_protection      = local.is-production ? true : false
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #3 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ad.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   47    resource "aws_cloudwatch_log_group" "active_directory" {
   48      name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
   49      retention_in_days = 14
   50    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Results #4-11 LOW Log group is not encrypted. (8 similar results)
────────────────────────────────────────────────────────────────────────────────
  ec2-iaps-server.tf:273-282
────────────────────────────────────────────────────────────────────────────────
  273    resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
  274      for_each          = toset(local.cloudwatch_agent_log_group_names)
  275      name              = "/iaps/${each.key}"
  276      retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
  277      tags = merge(
  278        local.ec2_tags,
  279        {
  280          "Name" = "iaps/${each.key}"
  281      })
  282    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/daysummary.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["iminterface/imiapsif.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["system-events"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/xmltransfer.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["access.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["amazon-cloudwatch-agent.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["application-events"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["error.log"])
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             674.7µs
  parsing              1.137289121s
  adaptation           855.098µs
  checks               28.377163ms
  total                1.167196082s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     173
  files read           29

  results
  ──────────────────────────────────────────
  passed               41
  ignored              3
  critical             0
  high                 1
  medium               1
  low                  9

  41 passed, 3 ignored, 11 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/delius-iaps

*****************************

Running Checkov in terraform/environments/delius-iaps
2023-10-05 08:46:07,750 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 08:46:07,751 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 08:46:07,751 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 186, Failed checks: 41, Skipped checks: 7

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /ad.tf:47-50

		47 | resource "aws_cloudwatch_log_group" "active_directory" {
		48 |   name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
		49 |   retention_in_days = 14
		50 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /ad.tf:47-50
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		47 | resource "aws_cloudwatch_log_group" "active_directory" {
		48 |   name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
		49 |   retention_in_days = 14
		50 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch-alarms.tf:198-205
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		198 | module "pagerduty_core_alerts" {
		199 |   depends_on = [
		200 |     aws_sns_topic.iaps_alerting
		201 |   ]
		202 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		203 |   sns_topics                = [aws_sns_topic.iaps_alerting.name]
		204 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup]
		205 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.iaps_alerting
	File: /cloudwatch-alarms.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html

		2 | resource "aws_sns_topic" "iaps_alerting" {
		3 |   name = "${local.application_name}-alerting"
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_iaps_server
	File: /ec2-iaps-server.tf:241-268
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		241 | module "ec2_iaps_server" {
		242 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.0.0"
		243 | 
		244 |   providers = {
		245 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		246 |   }
		247 | 
		248 |   name                          = local.application_data.ec2_iaps_instance_label
		249 |   ami_name                      = local.iaps_server.ami_name
		250 |   ami_owner                     = local.application_data.ec2_iaps_instance_ami_owner
		251 |   instance                      = local.iaps_server.instance
		252 |   user_data_raw                 = local.iaps_server.user_data_raw
		253 |   ebs_volumes_copy_all_from_ami = local.iaps_server.ebs_volumes_copy_all_from_ami
		254 |   ebs_volume_config             = {}
		255 |   ebs_volumes                   = local.iaps_server.ebs_volumes
		256 |   ssm_parameters                = null
		257 |   autoscaling_group             = local.iaps_server.autoscaling_group
		258 |   autoscaling_schedules         = {}
		259 | 
		260 |   instance_profile_policies = local.iaps_server.iam_policies
		261 |   application_name          = local.application_name
		262 |   region                    = data.aws_region.current.name
		263 |   subnet_ids                = data.aws_subnets.shared-private.ids
		264 |   tags                      = local.ec2_tags
		265 |   account_ids_lookup        = local.environment_management.account_ids
		266 | 
		267 |   depends_on = [aws_kms_grant.image-builder-shared-hmpps-ebs-cmk-grant]
		268 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["application-events"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["access.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["amazon-cloudwatch-agent.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["iminterface/imiapsif.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["error.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/xmltransfer.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/daysummary.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["system-events"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ssm_least_privilege_policy
	File: /ec2-iaps-server.tf:186-223

		186 | data "aws_iam_policy_document" "ssm_least_privilege_policy" {
		187 |   statement {
		188 |     sid    = "CustomSsmPolicy"
		189 |     effect = "Allow"
		190 |     actions = [
		191 |       "ssm:DescribeAssociation",
		192 |       "ssm:DescribeDocument",
		193 |       "ssm:GetDeployablePatchSnapshotForInstance",
		194 |       "ssm:GetDocument",
		195 |       "ssm:GetManifest",
		196 |       "ssm:GetParameter",
		197 |       "ssm:GetParameters",
		198 |       "ssm:ListAssociations",
		199 |       "ssm:ListInstanceAssociations",
		200 |       "ssm:PutInventory",
		201 |       "ssm:PutComplianceItems",
		202 |       "ssm:PutConfigurePackageResult",
		203 |       "ssm:UpdateAssociationStatus",
		204 |       "ssm:UpdateInstanceAssociationStatus",
		205 |       "ssm:UpdateInstanceInformation",
		206 |       "ssmmessages:CreateControlChannel",
		207 |       "ssmmessages:CreateDataChannel",
		208 |       "ssmmessages:OpenControlChannel",
		209 |       "ssmmessages:OpenDataChannel",
		210 |       "ec2messages:AcknowledgeMessage",
		211 |       "ec2messages:DeleteMessage",
		212 |       "ec2messages:FailMessage",
		213 |       "ec2messages:GetEndpoint",
		214 |       "ec2messages:GetMessages",
		215 |       "ec2messages:SendReply"
		216 |     ]
		217 |     # skipping these as policy is a scoped down version of Amazon provided AmazonSSMManagedInstanceCore managed policy.  Permissions required for SSM function
		218 | 
		219 |     #checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
		220 |     #checkov:skip=CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
		221 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		222 |   }
		223 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ci_secrets_rotator
	File: /iam.tf:39-64
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		39 | data "aws_iam_policy_document" "ci_secrets_rotator" {
		40 |   statement {
		41 |     sid    = "RotateSecrets"
		42 |     effect = "Allow"
		43 |     actions = [
		44 |       "secretsmanager:RotateSecret",
		45 |       "secretsmanager:DescribeSecret",
		46 |       "secretsmanager:PutSecretValue",
		47 |       "secretsmanager:UpdateSecretVersionStage",
		48 |     ]
		49 |     resources = [
		50 |       local.iaps_ds_admin_secret_arn
		51 |     ]
		52 |   }
		53 |   statement {
		54 |     sid    = "ResetDSUserPassword"
		55 |     effect = "Allow"
		56 |     actions = [
		57 |       "ds:ResetUserPassword",
		58 |       "ds:DescribeDirectories"
		59 |     ]
		60 |     resources = [
		61 |       "*"
		62 |     ]
		63 |   }
		64 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ci_secrets_rotator
	File: /iam.tf:39-64

		39 | data "aws_iam_policy_document" "ci_secrets_rotator" {
		40 |   statement {
		41 |     sid    = "RotateSecrets"
		42 |     effect = "Allow"
		43 |     actions = [
		44 |       "secretsmanager:RotateSecret",
		45 |       "secretsmanager:DescribeSecret",
		46 |       "secretsmanager:PutSecretValue",
		47 |       "secretsmanager:UpdateSecretVersionStage",
		48 |     ]
		49 |     resources = [
		50 |       local.iaps_ds_admin_secret_arn
		51 |     ]
		52 |   }
		53 |   statement {
		54 |     sid    = "ResetDSUserPassword"
		55 |     effect = "Allow"
		56 |     actions = [
		57 |       "ds:ResetUserPassword",
		58 |       "ds:DescribeDirectories"
		59 |     ]
		60 |     resources = [
		61 |       "*"
		62 |     ]
		63 |   }
		64 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.iaps
	File: /rds.tf:1-51

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_snapshot_data_refresh_id
	File: /rds.tf:53-66

		53 | resource "aws_ssm_parameter" "iaps_snapshot_data_refresh_id" {
		54 |   name        = "/iaps/snapshot_id"
		55 |   description = "The ID of the RDS snapshot used for the IAPS database data refresh"
		56 |   type        = "String"
		57 |   value       = try(local.application_data.accounts[local.environment].db_snapshot_identifier, "")
		58 | 
		59 |   tags = {
		60 |     environment = "production"
		61 |   }
		62 | 
		63 |   lifecycle {
		64 |     ignore_changes = [value]
		65 |   }
		66 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.allow_db_in
	File: /rds.tf:87-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		87 | resource "aws_vpc_security_group_ingress_rule" "allow_db_in" {
		88 |   security_group_id = aws_security_group.iaps_db.id
		89 | 
		90 |   referenced_security_group_id = aws_security_group.iaps.id
		91 |   ip_protocol                  = "tcp"
		92 |   from_port                    = 1521
		93 |   to_port                      = 1521
		94 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-log-archive-bucket
	File: /s3.tf:3-53
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-user
	File: /ssm.tf:2-13

		2  | resource "aws_ssm_parameter" "im-interface-oracle-user" {
		3  |   name      = "/IMInterface/IAPSOracle/user"
		4  |   type      = "String"
		5  |   value     = "dev-placeholder-iapsoracle-user"
		6  |   overwrite = true
		7  | 
		8  |   lifecycle {
		9  |     ignore_changes = [
		10 |       value
		11 |     ]
		12 |   }
		13 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-password
	File: /ssm.tf:15-26

		15 | resource "aws_ssm_parameter" "im-interface-oracle-password" {
		16 |   name      = "/IMInterface/IAPSOracle/password"
		17 |   type      = "SecureString"
		18 |   value     = "dev-placeholder-iapsoracle-password"
		19 |   overwrite = true
		20 | 
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-dsn
	File: /ssm.tf:28-39

		28 | resource "aws_ssm_parameter" "im-interface-soap-odbc-dsn" {
		29 |   name      = "/IMInterface/SOAPServer/ODBC/dsn"
		30 |   type      = "String"
		31 |   value     = "dev-placeholder-soapserver-odbc-dsn"
		32 |   overwrite = true
		33 | 
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-server
	File: /ssm.tf:41-52

		41 | resource "aws_ssm_parameter" "im-interface-soap-odbc-server" {
		42 |   name      = "/IMInterface/SOAPServer/ODBC/server"
		43 |   type      = "String"
		44 |   value     = "dev-placeholder-soapserver-odbc-server"
		45 |   overwrite = true
		46 | 
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-database
	File: /ssm.tf:54-65

		54 | resource "aws_ssm_parameter" "im-interface-soap-odbc-database" {
		55 |   name      = "/IMInterface/SOAPServer/ODBC/database"
		56 |   type      = "String"
		57 |   value     = "dev-placeholder-soapserver-odbc-database"
		58 |   overwrite = true
		59 | 
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-uid
	File: /ssm.tf:67-78

		67 | resource "aws_ssm_parameter" "im-interface-soap-odbc-uid" {
		68 |   name      = "/IMInterface/SOAPServer/ODBC/uid"
		69 |   type      = "String"
		70 |   value     = "dev-placeholder-soapserver-odbc-uid"
		71 |   overwrite = true
		72 | 
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-pwd
	File: /ssm.tf:80-91

		80 | resource "aws_ssm_parameter" "im-interface-soap-odbc-pwd" {
		81 |   name      = "/IMInterface/SOAPServer/ODBC/pwd"
		82 |   type      = "SecureString"
		83 |   value     = "dev-placeholder-soapserver-odbc-pwd"
		84 |   overwrite = true
		85 | 
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndelius-interface-ssm-param
	File: /ssm.tf:93-105

		93  | resource "aws_ssm_parameter" "ndelius-interface-ssm-param" {
		94  |   for_each  = local.ndelius_interface_params.parameter
		95  |   name      = each.value.name
		96  |   type      = each.value.type
		97  |   value     = each.value.value
		98  |   overwrite = each.value.overwrite
		99  | 
		100 |   lifecycle {
		101 |     ignore_changes = [
		102 |       value
		103 |     ]
		104 |   }
		105 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.iaps
	File: /rds.tf:1-51

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.iaps_snapshot_data_refresh_id
	File: /rds.tf:53-66
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		53 | resource "aws_ssm_parameter" "iaps_snapshot_data_refresh_id" {
		54 |   name        = "/iaps/snapshot_id"
		55 |   description = "The ID of the RDS snapshot used for the IAPS database data refresh"
		56 |   type        = "String"
		57 |   value       = try(local.application_data.accounts[local.environment].db_snapshot_identifier, "")
		58 | 
		59 |   tags = {
		60 |     environment = "production"
		61 |   }
		62 | 
		63 |   lifecycle {
		64 |     ignore_changes = [value]
		65 |   }
		66 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-user
	File: /ssm.tf:2-13
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		2  | resource "aws_ssm_parameter" "im-interface-oracle-user" {
		3  |   name      = "/IMInterface/IAPSOracle/user"
		4  |   type      = "String"
		5  |   value     = "dev-placeholder-iapsoracle-user"
		6  |   overwrite = true
		7  | 
		8  |   lifecycle {
		9  |     ignore_changes = [
		10 |       value
		11 |     ]
		12 |   }
		13 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-dsn
	File: /ssm.tf:28-39
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		28 | resource "aws_ssm_parameter" "im-interface-soap-odbc-dsn" {
		29 |   name      = "/IMInterface/SOAPServer/ODBC/dsn"
		30 |   type      = "String"
		31 |   value     = "dev-placeholder-soapserver-odbc-dsn"
		32 |   overwrite = true
		33 | 
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-server
	File: /ssm.tf:41-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		41 | resource "aws_ssm_parameter" "im-interface-soap-odbc-server" {
		42 |   name      = "/IMInterface/SOAPServer/ODBC/server"
		43 |   type      = "String"
		44 |   value     = "dev-placeholder-soapserver-odbc-server"
		45 |   overwrite = true
		46 | 
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-database
	File: /ssm.tf:54-65
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		54 | resource "aws_ssm_parameter" "im-interface-soap-odbc-database" {
		55 |   name      = "/IMInterface/SOAPServer/ODBC/database"
		56 |   type      = "String"
		57 |   value     = "dev-placeholder-soapserver-odbc-database"
		58 |   overwrite = true
		59 | 
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-uid
	File: /ssm.tf:67-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		67 | resource "aws_ssm_parameter" "im-interface-soap-odbc-uid" {
		68 |   name      = "/IMInterface/SOAPServer/ODBC/uid"
		69 |   type      = "String"
		70 |   value     = "dev-placeholder-soapserver-odbc-uid"
		71 |   overwrite = true
		72 | 
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.ndelius-interface-ssm-param
	File: /ssm.tf:93-105
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		93  | resource "aws_ssm_parameter" "ndelius-interface-ssm-param" {
		94  |   for_each  = local.ndelius_interface_params.parameter
		95  |   name      = each.value.name
		96  |   type      = each.value.type
		97  |   value     = each.value.value
		98  |   overwrite = each.value.overwrite
		99  | 
		100 |   lifecycle {
		101 |     ignore_changes = [
		102 |       value
		103 |     ]
		104 |   }
		105 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:13-23

		13 | resource "aws_secretsmanager_secret" "ad_password" {
		14 |   #checkov:skip=CKV_AWS_149
		15 |   name                    = "${var.networking[0].application}-ad-password"
		16 |   recovery_window_in_days = 0
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${var.networking[0].application}-ad-password"
		21 |     },
		22 |   )
		23 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.iaps
	File: /ec2-iaps-server.tf:101-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		101 | resource "aws_security_group" "iaps" {
		102 |   name        = lower(format("%s-%s", local.application_name, local.environment))
		103 |   description = "Controls access to IAPS EC2 instance"
		104 |   vpc_id      = data.aws_vpc.shared.id
		105 |   tags        = local.ec2_tags
		106 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-iaps

*****************************

Running tflint in terraform/environments/delius-iaps
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/delius-iaps/secrets.tf line 4:
   4: resource "random_password" "ad_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

@robertsweetman robertsweetman merged commit 58b8deb into main Oct 5, 2023
8 of 10 checks passed
@robertsweetman robertsweetman deleted the csr/domain-join-reboot branch October 5, 2023 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wullub wullub wullub approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@robertsweetman @wullub