Cc 2815

[SahidKhan89]

No description provided.

[mmgovuk]

👍

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/ccms-ebs

---

Running Trivy in terraform/environments/ccms-ebs
2024-09-20T11:00:53Z INFO [db] Need to update DB
2024-09-20T11:00:53Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-20T11:00:53Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 440.955µs, allowed: 44000/minute

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-20 11:00:56,060 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 856, Failed checks: 65, Skipped checks: 3

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.lambda_security_group
	File: /ccms-lambda.tf:22-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		22 | resource "aws_security_group" "lambda_security_group" {
		23 |   name   = "${local.application_name}-${local.environment}-lambda-sg"
		24 |   description = "SG traffic control for Payment Load Lambda"
		25 |   vpc_id = data.aws_vpc.shared.id
		26 | 
		27 |   ingress {
		28 |     from_port   = 1521
		29 |     to_port     = 1522
		30 |     protocol    = "tcp"
		31 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		32 |   }
		33 | 
		34 |   egress {
		35 |     from_port   = 0
		36 |     to_port     = 0
		37 |     protocol    = "-1"
		38 |     cidr_blocks = ["0.0.0.0/0"]
		39 |   }
		40 | 
		41 |   tags = merge(local.tags,
		42 |     { Name = "${local.application_name}-${local.environment}-lambda-sg" }
		43 |   )
		44 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/function.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 | 
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-payment-load"
		74 |   })
		75 | 
		76 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		77 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/function.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 | 
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-payment-load"
		74 |   })
		75 | 
		76 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		77 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/function.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 | 
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-payment-load"
		74 |   })
		75 | 
		76 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		77 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/function.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 | 
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-payment-load"
		74 |   })
		75 | 
		76 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		77 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.lambda_function
	File: /ccms-lambda.tf:48-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		48 | resource "aws_lambda_function" "lambda_function" {
		49 |   function_name = "${local.application_name}-${local.environment}-payment-load"
		50 |   filename      = "lambda/function.zip"
		51 |   handler       = "lambda_function.lambda_handler"
		52 |   runtime       = "python3.10"
		53 |   role          = aws_iam_role.lambda_execution_role.arn
		54 |   layers        = [aws_lambda_layer_version.lambda_layer.arn]
		55 |   architectures = ["x86_64"]
		56 |   memory_size   = 128
		57 |   timeout       = 120
		58 | 
		59 |   vpc_config {
		60 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		61 |     security_group_ids = [aws_security_group.lambda_security_group.id]
		62 |   }
		63 |   environment {
		64 |     variables = {
		65 |       IS_PRODUCTION   = local.is-production ? "true" : "false"
		66 |       LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
		67 |       S3_BUCKET_NAME  = aws_s3_bucket.lambda_payment_load.bucket
		68 |       SECRET_NAME     = aws_secretsmanager_secret.secret_lambda_s3.name
		69 |     }
		70 |   }
		71 | 
		72 |   tags = merge(local.tags, {
		73 |     Name = "${local.application_name}-${local.environment}-payment-load"
		74 |   })
		75 | 
		76 |   depends_on = [aws_lambda_layer_version.lambda_layer]
		77 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:172-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		173 |   name        = "ebs_waf"
		174 |   scope       = "REGIONAL"
		175 |   description = "AWS WAF Web ACL for EBS"
		176 | 
		177 |   default_action {
		178 |     block {}
		179 |   }
		180 | 
		181 |   rule {
		182 |     name = "ebs-trusted-rule"
		183 | 
		184 |     priority = 1
		185 |     action {
		186 |       allow {}
		187 |     }
		188 | 
		189 |     statement {
		190 |       ip_set_reference_statement {
		191 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		192 |       }
		193 |     }
		194 | 
		195 |     visibility_config {
		196 |       cloudwatch_metrics_enabled = true
		197 |       metric_name                = "ebs_waf_metrics"
		198 |       sampled_requests_enabled   = true
		199 |     }
		200 |   }
		201 | 
		202 |   tags = merge(local.tags,
		203 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		204 |   )
		205 | 
		206 |   visibility_config {
		207 |     cloudwatch_metrics_enabled = true
		208 |     metric_name                = "ebs_waf_metrics"
		209 |     sampled_requests_enabled   = true
		210 |   }
		211 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:213-220
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		214 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		215 |   retention_in_days = 30
		216 | 
		217 |   tags = merge(local.tags,
		218 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		219 |   )
		220 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
	File: /ccms-secrets.tf:23-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
		24 |   name        = "db-${local.environment}-credentials"
		25 |   description = "AWS credentials for lambda to connect to the db"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = "db-${local.environment}-credentials" }
		29 |   )
		30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /ccms-s3.tf:286-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		287 |   bucket = "${local.application_name}-${local.environment}-shared"
		288 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.lambda_payment_load
	File: /ccms-s3.tf:293-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		293 | resource "aws_s3_bucket" "lambda_payment_load" {
		294 |   bucket = "${local.application_name}-${local.environment}-payment-load"
		295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-09-20T11:00:53Z	INFO	[db] Need to update DB
2024-09-20T11:00:53Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-20T11:00:53Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 440.955µs, allowed: 44000/minute


trivy_exitcode=1