Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer from 3.1.2 to 3.2.0 in /terraform/environments/example #3647

Closed
wants to merge 1 commit into from
Closed

Bump lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer from 3.1.2 to 3.2.0 in /terraform/environments/example #3647

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 13, 2023
edited
Loading

Bumps lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer from 3.1.2 to 3.2.0.

Release notes

Sourced from lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer's releases.

v3.2.0

What's Changed

New Contributors

Full Changelog: ministryofjustice/modernisation-platform-terraform-loadbalancer@v3.1.2...v3.2.0

Commits
  • eeada75 Merge pull request #259 from ministryofjustice/fix/adding-glue-crawler-to-module
  • bda113c Merge pull request #261 from ministryofjustice/dependabot/github_actions/brid...
  • 78f7a0c Merge pull request #260 from ministryofjustice/dependabot/go_modules/test/gol...
  • 9e6cbf8 Bump bridgecrewio/checkov-action from 12.2526.0 to 12.2527.0
  • 5bcceab Bump golang.org/x/net from 0.7.0 to 0.17.0 in /test
  • f85499b spelling correction
  • e6be90f trying to fix checkoh error
  • ec8d532 added skip to the workflow
  • 4a0aad1 checkov correction
  • a5a009b ignore added for the moment on checkov
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from a team as a code owner October 13, 2023 00:23
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Oct 13, 2023
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 13, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49"elasticloadbalancing:Describe*",
   50"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28"kms:Encrypt",
   29"kms:Decrypt",
   30"kms:ReEncrypt*",
   31"kms:GenerateDataKey*",
   32"kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44  ┌     actions = [
   45"s3:*"
   46  └     ]
   47        resources = [
   48          "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '1fdb1d45-0463-482e-a738-ae21e24ebc3f' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44        actions = [
   45          "s3:*"
   46        ]
   47  ┌     resources = [
   48"${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #24-26 HIGH IAM policy document uses wildcarded action 'backup:*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-55
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52"backup:*",
   53"datasync:*",
   54"elasticfilesystem:*",
   55  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-67 (data.aws_iam_policy_document.ldap_datasync_role_access) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:56
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   56  [     resources = ["*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #28 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:61
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   61  [     actions = ["s3:*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #29 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'fda11086-e5fe-4396-9e6c-95f21739a227' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:62-65
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   62  ┌     resources = [
   63"${module.s3_bucket_ldap_data_refresh.bucket.arn}",
   64"${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
   65  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #30 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #31-32 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173"elasticloadbalancing:Describe*",
  174"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210"s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #35-36 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via ldap_datasync.tf:96-110 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:96-110 (module.s3_bucket_ldap_data_refresh)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #37 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #38 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #39 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #40 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #41 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #42 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_egress" {
   65      type              = "egress"
   66      from_port         = 0
   67      to_port           = 0
   68      protocol          = "all"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.792533ms
  parsing              3.883979813s
  adaptation           23.628532ms
  checks               14.083997ms
  total                3.924484875s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     649
  files read           74

  results
  ──────────────────────────────────────────
  passed               223
  ignored              20
  critical             2
  high                 32
  medium               2
  low                  7

  223 passed, 20 ignored, 43 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-13 00:26:20,046 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 00:26:20,046 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 00:26:20,047 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-13 00:26:20,047 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 643, Failed checks: 77, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:96-110
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		96  | module "s3_bucket_ldap_data_refresh" {
		97  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		98  |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		99  |   versioning_enabled  = false
		100 |   ownership_controls  = "BucketOwnerEnforced"
		101 |   replication_enabled = false
		102 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		103 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		104 | 
		105 |   providers = {
		106 |     aws.bucket-replication = aws.bucket-replication
		107 |   }
		108 | 
		109 |   tags = local.tags
		110 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_egress" {
		65 |   type              = "egress"
		66 |   from_port         = 0
		67 |   to_port           = 0
		68 |   protocol          = "all"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:39-51
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "delius_core_frontend" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		47 |   subnets            = var.account_config.public_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_db_security_group
	File: /db_service.tf:80-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		80 | resource "aws_security_group" "delius_db_security_group" {
		81 |   name        = format("%s - Delius Core DB", var.env_name)
		82 |   description = "Rules for the delius testing db ecs service"
		83 |   vpc_id      = var.account_config.shared_vpc_id
		84 |   tags        = local.tags
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 63:
  63:       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 76:
  76:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 13, 2023

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.2-3.2.0 branch October 13, 2023 13:22
@ASTRobinson ASTRobinson restored the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.2-3.2.0 branch October 13, 2023 13:22
@ASTRobinson ASTRobinson reopened this Oct 13, 2023
@dependabot
Bump lb_access_logs_enabled::modernisation-platform-terraform-loadbal…
dd3d997 
…ancer

Bumps [lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer](https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-loadbalancer@v3.1.2...v3.2.0)

---
updated-dependencies:
- dependency-name: lb_access_logs_enabled::github::ministryofjustice/modernisation-platform-terraform-loadbalancer::v3.1.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.2-3.2.0 branch from 1f6ee5e to dd3d997 Compare October 13, 2023 13:23
@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.2-3.2.0 branch October 13, 2023 13:24
@ASTRobinson ASTRobinson restored the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.2-3.2.0 branch October 13, 2023 13:24
@ASTRobinson ASTRobinson reopened this Oct 13, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

1 similar comment
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Nov 1, 2023

Superseded by #3845.

@dependabot dependabot bot closed this Nov 1, 2023
@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.2-3.2.0 branch November 1, 2023 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ASTRobinson