New files for terraform/environments #4335

modernisation-platform-ci · 2023-12-14T11:43:49Z

This PR was automatically created via a GitHub action workflow 🤖

This PR commits new files under terraform/environments.

github-actions · 2023-12-14T11:46:06Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/components/delius-microservice

*****************************

Running TFSEC in terraform/environments/delius-core/modules/components/delius-microservice
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  sg.tf:36
────────────────────────────────────────────────────────────────────────────────
   30    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
   31      description       = "Allow all outbound traffic to any IPv4 address on 443"
   32      type              = "egress"
   33      from_port         = 443
   34      to_port           = 443
   35      protocol          = "tcp"
   36  [   cidr_blocks       = ["0.0.0.0/0"]
   37      security_group_id = aws_security_group.weblogic_service.id
   38    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ../../ecs_policies/main.tf:107
   via ecs.tf:22-27 (module.ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #3 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ../../ecs_policies/main.tf:46
   via ecs.tf:22-27 (module.ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #4-5 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../../ecs_policies/main.tf:48-56
   via ecs.tf:22-27 (module.ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../../ecs_policies/main.tf:22-27 (module.ecs_policies) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #6 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:45
────────────────────────────────────────────────────────────────────────────────
   45      deletion_protection                 = var.rds_deletion_protection
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:65
────────────────────────────────────────────────────────────────────────────────
   31    resource "aws_db_instance" "this" {
   ..  
   65  [   performance_insights_enabled    = var.rds_performance_insights_enabled (false)
   ..  
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #8 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  sg.tf:50-54
────────────────────────────────────────────────────────────────────────────────
   50    resource "aws_cloudwatch_log_group" "ecs_log_group" {
   51      name              = "${var.name}-${var.env_name}"
   52      retention_in_days = 7
   53      tags              = var.tags
   54    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             419.97µs
  parsing              2.0065837s
  adaptation           758.846µs
  checks               17.442558ms
  total                2.025205074s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    4
  blocks processed     167
  files read           17

  results
  ──────────────────────────────────────────
  passed               36
  ignored              0
  critical             1
  high                 4
  medium               1
  low                  2

  36 passed, 8 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/delius-microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/delius-microservice
2023-12-14 11:46:01,826 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.61.1:None (for external modules, the --download-external-modules flag is required)
2023-12-14 11:46:01,826 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 131, Failed checks: 12, Skipped checks: 2

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.61.1"
		3  |   container_name           = "${var.name}-${var.env_name}"
		4  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-weblogic-ecr-repo:${var.weblogic_config.frontend_image_tag}"
		5  |   container_memory         = 4096
		6  |   container_cpu            = 1024
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  |   environment              = var.container_environment_vars
		10 |   secrets                  = var.container_secrets
		11 |   port_mappings            = var.container_port_mappings
		12 |   log_configuration = {
		13 |     logDriver = "awslogs"
		14 |     options = {
		15 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_frontend_log_group.name
		16 |       "awslogs-region"        = "eu-west-2"
		17 |       "awslogs-stream-prefix" = var.weblogic_config.frontend_fully_qualified_name
		18 |     }
		19 |   }
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:31-71

		31 | resource "aws_db_instance" "this" {
		32 |   engine         = var.rds_engine
		33 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		34 |   engine_version = var.rds_engine_version
		35 |   instance_class = var.rds_instance_class
		36 |   identifier     = "${var.name}-${var.env_name}-db"
		37 |   username       = var.rds_username
		38 | 
		39 |   manage_master_user_password = true
		40 | 
		41 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		42 | 
		43 |   # tflint-ignore: aws_db_instance_default_parameter_group
		44 |   parameter_group_name                = var.rds_parameter_group_name
		45 |   deletion_protection                 = var.rds_deletion_protection
		46 |   delete_automated_backups            = var.rds_delete_automated_backups
		47 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		48 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		49 |   allocated_storage                   = var.rds_allocated_storage
		50 |   max_allocated_storage               = var.rds_max_allocated_storage
		51 |   storage_type                        = var.rds_storage_type
		52 |   maintenance_window                  = var.rds_maintenance_window
		53 |   auto_minor_version_upgrade          = var.rds_auto_minor_version_upgrade
		54 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		55 |   backup_window                       = var.rds_backup_window
		56 |   backup_retention_period             = var.rds_backup_retention_period
		57 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		58 |   db_subnet_group_name                = aws_db_subnet_group.this.id
		59 |   vpc_security_group_ids              = [aws_security_group.db.id]
		60 |   multi_az                            = var.rds_multi_az
		61 |   monitoring_interval                 = var.rds_monitoring_interval
		62 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		63 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		64 |   storage_encrypted               = true
		65 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		66 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		67 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		68 |   tags = merge(var.tags,
		69 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		70 |   )
		71 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:31-71

		31 | resource "aws_db_instance" "this" {
		32 |   engine         = var.rds_engine
		33 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		34 |   engine_version = var.rds_engine_version
		35 |   instance_class = var.rds_instance_class
		36 |   identifier     = "${var.name}-${var.env_name}-db"
		37 |   username       = var.rds_username
		38 | 
		39 |   manage_master_user_password = true
		40 | 
		41 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		42 | 
		43 |   # tflint-ignore: aws_db_instance_default_parameter_group
		44 |   parameter_group_name                = var.rds_parameter_group_name
		45 |   deletion_protection                 = var.rds_deletion_protection
		46 |   delete_automated_backups            = var.rds_delete_automated_backups
		47 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		48 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		49 |   allocated_storage                   = var.rds_allocated_storage
		50 |   max_allocated_storage               = var.rds_max_allocated_storage
		51 |   storage_type                        = var.rds_storage_type
		52 |   maintenance_window                  = var.rds_maintenance_window
		53 |   auto_minor_version_upgrade          = var.rds_auto_minor_version_upgrade
		54 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		55 |   backup_window                       = var.rds_backup_window
		56 |   backup_retention_period             = var.rds_backup_retention_period
		57 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		58 |   db_subnet_group_name                = aws_db_subnet_group.this.id
		59 |   vpc_security_group_ids              = [aws_security_group.db.id]
		60 |   multi_az                            = var.rds_multi_az
		61 |   monitoring_interval                 = var.rds_monitoring_interval
		62 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		63 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		64 |   storage_encrypted               = true
		65 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		66 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		67 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		68 |   tags = merge(var.tags,
		69 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		70 |   )
		71 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:31-71

		31 | resource "aws_db_instance" "this" {
		32 |   engine         = var.rds_engine
		33 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		34 |   engine_version = var.rds_engine_version
		35 |   instance_class = var.rds_instance_class
		36 |   identifier     = "${var.name}-${var.env_name}-db"
		37 |   username       = var.rds_username
		38 | 
		39 |   manage_master_user_password = true
		40 | 
		41 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		42 | 
		43 |   # tflint-ignore: aws_db_instance_default_parameter_group
		44 |   parameter_group_name                = var.rds_parameter_group_name
		45 |   deletion_protection                 = var.rds_deletion_protection
		46 |   delete_automated_backups            = var.rds_delete_automated_backups
		47 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		48 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		49 |   allocated_storage                   = var.rds_allocated_storage
		50 |   max_allocated_storage               = var.rds_max_allocated_storage
		51 |   storage_type                        = var.rds_storage_type
		52 |   maintenance_window                  = var.rds_maintenance_window
		53 |   auto_minor_version_upgrade          = var.rds_auto_minor_version_upgrade
		54 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		55 |   backup_window                       = var.rds_backup_window
		56 |   backup_retention_period             = var.rds_backup_retention_period
		57 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		58 |   db_subnet_group_name                = aws_db_subnet_group.this.id
		59 |   vpc_security_group_ids              = [aws_security_group.db.id]
		60 |   multi_az                            = var.rds_multi_az
		61 |   monitoring_interval                 = var.rds_monitoring_interval
		62 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		63 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		64 |   storage_encrypted               = true
		65 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		66 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		67 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		68 |   tags = merge(var.tags,
		69 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:31-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		31 | resource "aws_db_instance" "this" {
		32 |   engine         = var.rds_engine
		33 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		34 |   engine_version = var.rds_engine_version
		35 |   instance_class = var.rds_instance_class
		36 |   identifier     = "${var.name}-${var.env_name}-db"
		37 |   username       = var.rds_username
		38 | 
		39 |   manage_master_user_password = true
		40 | 
		41 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		42 | 
		43 |   # tflint-ignore: aws_db_instance_default_parameter_group
		44 |   parameter_group_name                = var.rds_parameter_group_name
		45 |   deletion_protection                 = var.rds_deletion_protection
		46 |   delete_automated_backups            = var.rds_delete_automated_backups
		47 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		48 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		49 |   allocated_storage                   = var.rds_allocated_storage
		50 |   max_allocated_storage               = var.rds_max_allocated_storage
		51 |   storage_type                        = var.rds_storage_type
		52 |   maintenance_window                  = var.rds_maintenance_window
		53 |   auto_minor_version_upgrade          = var.rds_auto_minor_version_upgrade
		54 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		55 |   backup_window                       = var.rds_backup_window
		56 |   backup_retention_period             = var.rds_backup_retention_period
		57 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		58 |   db_subnet_group_name                = aws_db_subnet_group.this.id
		59 |   vpc_security_group_ids              = [aws_security_group.db.id]
		60 |   multi_az                            = var.rds_multi_az
		61 |   monitoring_interval                 = var.rds_monitoring_interval
		62 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		63 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		64 |   storage_encrypted               = true
		65 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		66 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		67 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		68 |   tags = merge(var.tags,
		69 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		70 |   )
		71 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:31-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		31 | resource "aws_db_instance" "this" {
		32 |   engine         = var.rds_engine
		33 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		34 |   engine_version = var.rds_engine_version
		35 |   instance_class = var.rds_instance_class
		36 |   identifier     = "${var.name}-${var.env_name}-db"
		37 |   username       = var.rds_username
		38 | 
		39 |   manage_master_user_password = true
		40 | 
		41 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		42 | 
		43 |   # tflint-ignore: aws_db_instance_default_parameter_group
		44 |   parameter_group_name                = var.rds_parameter_group_name
		45 |   deletion_protection                 = var.rds_deletion_protection
		46 |   delete_automated_backups            = var.rds_delete_automated_backups
		47 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		48 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		49 |   allocated_storage                   = var.rds_allocated_storage
		50 |   max_allocated_storage               = var.rds_max_allocated_storage
		51 |   storage_type                        = var.rds_storage_type
		52 |   maintenance_window                  = var.rds_maintenance_window
		53 |   auto_minor_version_upgrade          = var.rds_auto_minor_version_upgrade
		54 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		55 |   backup_window                       = var.rds_backup_window
		56 |   backup_retention_period             = var.rds_backup_retention_period
		57 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		58 |   db_subnet_group_name                = aws_db_subnet_group.this.id
		59 |   vpc_security_group_ids              = [aws_security_group.db.id]
		60 |   multi_az                            = var.rds_multi_az
		61 |   monitoring_interval                 = var.rds_monitoring_interval
		62 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		63 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		64 |   storage_encrypted               = true
		65 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		66 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		67 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		68 |   tags = merge(var.tags,
		69 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		70 |   )
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_log_group
	File: /sg.tf:50-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		50 | resource "aws_cloudwatch_log_group" "ecs_log_group" {
		51 |   name              = "${var.name}-${var.env_name}"
		52 |   retention_in_days = 7
		53 |   tags              = var.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs_log_group
	File: /sg.tf:50-54

		50 | resource "aws_cloudwatch_log_group" "ecs_log_group" {
		51 |   name              = "${var.name}-${var.env_name}"
		52 |   retention_in_days = 7
		53 |   tags              = var.tags
		54 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../ecs_policies/main.tf:104-121
	Calling File: /ecs.tf:22-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../ecs_policies/main.tf:104-121
	Calling File: /ecs.tf:22-27

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:31-71

		31 | resource "aws_db_instance" "this" {
		32 |   engine         = var.rds_engine
		33 |   license_model  = length(var.rds_license_model) > 0 ? var.rds_license_model : null
		34 |   engine_version = var.rds_engine_version
		35 |   instance_class = var.rds_instance_class
		36 |   identifier     = "${var.name}-${var.env_name}-db"
		37 |   username       = var.rds_username
		38 | 
		39 |   manage_master_user_password = true
		40 | 
		41 |   snapshot_identifier = var.snapshot_identifier != null && length(var.snapshot_identifier) > 0 ? var.snapshot_identifier : null
		42 | 
		43 |   # tflint-ignore: aws_db_instance_default_parameter_group
		44 |   parameter_group_name                = var.rds_parameter_group_name
		45 |   deletion_protection                 = var.rds_deletion_protection
		46 |   delete_automated_backups            = var.rds_delete_automated_backups
		47 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		48 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-snapshot" : null
		49 |   allocated_storage                   = var.rds_allocated_storage
		50 |   max_allocated_storage               = var.rds_max_allocated_storage
		51 |   storage_type                        = var.rds_storage_type
		52 |   maintenance_window                  = var.rds_maintenance_window
		53 |   auto_minor_version_upgrade          = var.rds_auto_minor_version_upgrade
		54 |   allow_major_version_upgrade         = var.rds_auto_major_version_upgrade
		55 |   backup_window                       = var.rds_backup_window
		56 |   backup_retention_period             = var.rds_backup_retention_period
		57 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		58 |   db_subnet_group_name                = aws_db_subnet_group.this.id
		59 |   vpc_security_group_ids              = [aws_security_group.db.id]
		60 |   multi_az                            = var.rds_multi_az
		61 |   monitoring_interval                 = var.rds_monitoring_interval
		62 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		63 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		64 |   storage_encrypted               = true
		65 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		66 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		67 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		68 |   tags = merge(var.tags,
		69 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) }
		70 |   )
		71 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/delius-microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/components/delius-microservice
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in "required_providers" (terraform_required_providers)

  on terraform/environments/delius-core/modules/components/delius-microservice/sg.tf line 50:
  50: resource "aws_cloudwatch_log_group" "ecs_log_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Workflow: created files in .

d88a687

modernisation-platform-ci requested a review from a team as a code owner December 14, 2023 11:43

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 14, 2023

ASTRobinson approved these changes Dec 14, 2023

View reviewed changes

ASTRobinson merged commit 962680a into main Dec 14, 2023
9 of 10 checks passed

ASTRobinson deleted the date-1702554227 branch December 14, 2023 16:33

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New files for terraform/environments #4335

New files for terraform/environments #4335

modernisation-platform-ci commented Dec 14, 2023

github-actions bot commented Dec 14, 2023

New files for terraform/environments #4335

New files for terraform/environments #4335

Conversation

modernisation-platform-ci commented Dec 14, 2023

github-actions bot commented Dec 14, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed