Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-522; TM-525 Prepare for PRD build in MP #7985

Merged
merged 3 commits into from
Oct 2, 2024
Merged

TM-522; TM-525 Prepare for PRD build in MP #7985

merged 3 commits into from
Oct 2, 2024

Conversation

vc13837
Copy link
Contributor

@vc13837 vc13837 commented Oct 1, 2024

No description provided.

@vc13837 vc13837 requested review from a team as code owners October 1, 2024 12:00
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 1, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 1, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-10-01T12:02:29Z INFO [db] Need to update DB
2024-10-01T12:02:29Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-01T12:02:31Z INFO [vuln] Vulnerability scanning is enabled
2024-10-01T12:02:31Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-01T12:02:31Z INFO Need to update the built-in policies
2024-10-01T12:02:31Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-10-01T12:02:31Z INFO [secret] Secret scanning is enabled
2024-10-01T12:02:31Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-01T12:02:31Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-10-01T12:02:32Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-01T12:02:32Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-01T12:02:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-01T12:02:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-01T12:02:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-10-01T12:02:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-10-01T12:02:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-10-01T12:02:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-10-01T12:02:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-10-01T12:02:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-01T12:02:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-01T12:02:34Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-10-01T12:02:34Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-10-01T12:02:34Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-10-01T12:02:34Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:242"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:231"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-01T12:02:34Z INFO Number of language-specific files num=0
2024-10-01T12:02:34Z INFO Detected config files num=14

cloudfront.tf (terraform)

Tests: 15 (SUCCESSES: 13, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 2, EXCEPTIONS: 3)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 = "0.0.0.0/0"
106 ip_protocol = "-1"
107 }
────────────────────────────────────────

lambda.tf (terraform)

Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

modules/alb/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 33 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 29)
Failures: 2 (HIGH: 1, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

sns.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic" "apex" {
7 │ name = "${local.application_name}-${local.environment}-alerting-topic"
8 │ tags = merge(
9 │ local.tags,
10 │ {
11 │ Name = "${local.application_name}-${local.environment}-alerting-topic"
12 │ }
13 │ )
14 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-01 12:02:37,078 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-01 12:02:37,078 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 343, Failed checks: 94, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:156-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		157 |   count  = local.environment == "production" ? 1 : 0
		158 |   bucket = aws_s3_bucket.cloudfront.id
		159 | 
		160 |   rule {
		161 |     id = "delete-after-90days"
		162 | 
		163 |     expiration {
		164 |       days = 90
		165 |     }
		166 | 
		167 |     noncurrent_version_expiration {
		168 |       newer_noncurrent_versions = 1
		169 |       noncurrent_days           = 90
		170 |     }
		171 | 
		172 |     status = "Enabled"
		173 |   }
		174 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		294 | resource "aws_acm_certificate" "cloudfront" {
		295 |   domain_name               = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
		296 |   validation_method         = "DNS"
		297 |   provider                  = aws.us-east-1
		298 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		299 |   tags                      = local.tags
		300 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		301 |   lifecycle {
		302 |     prevent_destroy = false
		303 |   }
		304 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |     )
		30 |   }
		31 | 
		32 |   tags = merge(
		33 |     local.tags,
		34 |     { "Name" = local.database_ec2_name },
		35 |     { "instance-scheduling" = "skip-scheduling" },
		36 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		37 |   )
		38 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:75-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		76 |   security_group_id            = aws_security_group.database.id
		77 |   description                  = "Allow Lambda SSH access for backup snapshots"
		78 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		79 |   from_port                    = 22
		80 |   ip_protocol                  = "tcp"
		81 |   to_port                      = 22
		82 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:103-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		104 |   security_group_id = aws_security_group.database.id
		105 |   cidr_ipv4         = "0.0.0.0/0"
		106 |   ip_protocol       = "-1"
		107 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:263-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		263 | resource "aws_cloudwatch_log_group" "database" {
		264 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		265 |   retention_in_days = 0
		266 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		267 |   tags = merge(
		268 |     local.tags,
		269 |     {
		270 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:288-298
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		288 | resource "aws_cloudwatch_log_group" "pmon_status" {
		289 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		290 |   retention_in_days = 0
		291 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		292 |   tags = merge(
		293 |     local.tags,
		294 |     {
		295 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |     }
		297 |   )
		298 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:658-668
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		658 | resource "aws_acm_certificate" "external_lb" {
		659 | 
		660 |   domain_name               = var.acm_cert_domain_name
		661 |   validation_method         = "DNS"
		662 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		663 |   tags                      = var.tags
		664 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		665 |   lifecycle {
		666 |     prevent_destroy = false
		667 |   }
		668 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:124-179
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 40:
  40: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-10-01T12:02:29Z	INFO	[db] Need to update DB
2024-10-01T12:02:29Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-01T12:02:31Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-01T12:02:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-01T12:02:31Z	INFO	Need to update the built-in policies
2024-10-01T12:02:31Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-10-01T12:02:31Z	INFO	[secret] Secret scanning is enabled
2024-10-01T12:02:31Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-01T12:02:31Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-10-01T12:02:32Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-01T12:02:32Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-01T12:02:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-01T12:02:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-01T12:02:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-10-01T12:02:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-10-01T12:02:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-10-01T12:02:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-10-01T12:02:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-10-01T12:02:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-01T12:02:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-01T12:02:34Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-10-01T12:02:34Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-10-01T12:02:34Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-10-01T12:02:34Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:242"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:231"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-01T12:02:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-01T12:02:34Z	INFO	Number of language-specific files	num=0
2024-10-01T12:02:34Z	INFO	Detected config files	num=14

cloudfront.tf (terraform)
=========================
Tests: 15 (SUCCESSES: 13, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
		
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:243
   via cloudfront.tf:240-244 (viewer_certificate)
    via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 176   resource "aws_cloudfront_distribution" "external" {
 ...   
 243 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 266   }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:130-141
────────────────────────────────────────
 130resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 131 │   bucket = aws_s3_bucket.cloudfront.id
 132 │   rule {
 133 │     apply_server_side_encryption_by_default {
 134 │       sse_algorithm = "AES256"
 135 │     }
 136 │   }
 137# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 138 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 13 (SUCCESSES: 8, FAILURES: 2, EXCEPTIONS: 3)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-38
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ec2.tf:105
   via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
 103   resource "aws_vpc_security_group_egress_rule" "db_outbound" {
 104     security_group_id = aws_security_group.database.id
 105 [   cidr_ipv4         = "0.0.0.0/0"
 106     ip_protocol       = "-1"
 107   }
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambda.tf:194
   via lambda.tf:189-195 (egress)
    via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
 184   resource "aws_security_group" "backup_lambda" {
 ...   
 194 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 201   }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



modules/alb/main.tf (terraform)
===============================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 modules/alb/main.tf:289
   via modules/alb/main.tf:284-291 (content)
    via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
     via modules/alb/main.tf:264-293 (aws_security_group.lb)
      via alb.tf:27-163 (module.alb)
────────────────────────────────────────
 264   resource "aws_security_group" "lb" {
 ...   
 289 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 293   }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 33 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 29)
Failures: 2 (HIGH: 1, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 modules/ecs/main.tf:85
   via modules/ecs/main.tf:80-87 (content)
    via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
     via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
      via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
  61   resource "aws_security_group" "cluster_ec2" {
  ..   
  85 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
  ..   
  96   }
────────────────────────────────────────


HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 7 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────



sns.tf (terraform)
==================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 sns.tf:6-14
────────────────────────────────────────
   6 ┌ resource "aws_sns_topic" "apex" {
   7 │   name = "${local.application_name}-${local.environment}-alerting-topic"
   8 │   tags = merge(
   9 │     local.tags,
  10 │     {
  11 │       Name = "${local.application_name}-${local.environment}-alerting-topic"
  12 │     }
  13 │   )
  14 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 2, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-10-02T09:02:21Z INFO [db] Need to update DB
2024-10-02T09:02:21Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-02T09:02:21Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:f553baa9d0cf67d18f461a05cee7e67928461882a5bf62a140f9efa1dd07b3b7: TOOMANYREQUESTS: retry-after: 798.761µs, allowed: 44000/minute
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-02 09:02:24,249 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-02 09:02:24,250 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 345, Failed checks: 95, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:156-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		157 |   count  = local.environment == "production" ? 1 : 0
		158 |   bucket = aws_s3_bucket.cloudfront.id
		159 | 
		160 |   rule {
		161 |     id = "delete-after-90days"
		162 | 
		163 |     expiration {
		164 |       days = 90
		165 |     }
		166 | 
		167 |     noncurrent_version_expiration {
		168 |       newer_noncurrent_versions = 1
		169 |       noncurrent_days           = 90
		170 |     }
		171 | 
		172 |     status = "Enabled"
		173 |   }
		174 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		294 | resource "aws_acm_certificate" "cloudfront" {
		295 |   domain_name               = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
		296 |   validation_method         = "DNS"
		297 |   provider                  = aws.us-east-1
		298 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		299 |   tags                      = local.tags
		300 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		301 |   lifecycle {
		302 |     prevent_destroy = false
		303 |   }
		304 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |     )
		30 |   }
		31 | 
		32 |   tags = merge(
		33 |     local.tags,
		34 |     { "Name" = local.database_ec2_name },
		35 |     { "instance-scheduling" = "skip-scheduling" },
		36 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		37 |   )
		38 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:75-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		76 |   security_group_id            = aws_security_group.database.id
		77 |   description                  = "Allow Lambda SSH access for backup snapshots"
		78 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		79 |   from_port                    = 22
		80 |   ip_protocol                  = "tcp"
		81 |   to_port                      = 22
		82 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:103-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		104 |   security_group_id = aws_security_group.database.id
		105 |   cidr_ipv4         = "0.0.0.0/0"
		106 |   ip_protocol       = "-1"
		107 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:263-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		263 | resource "aws_cloudwatch_log_group" "database" {
		264 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		265 |   retention_in_days = 0
		266 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		267 |   tags = merge(
		268 |     local.tags,
		269 |     {
		270 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:288-298
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		288 | resource "aws_cloudwatch_log_group" "pmon_status" {
		289 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		290 |   retention_in_days = 0
		291 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		292 |   tags = merge(
		293 |     local.tags,
		294 |     {
		295 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |     }
		297 |   )
		298 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:124-179
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:577-604
	Calling File: /alb.tf:27-163

		577 | resource "aws_lb_target_group" "alb_target_group" {
		578 |   name                 = "${var.application_name}-alb-tg"
		579 |   port                 = var.target_group_port
		580 |   protocol             = var.target_group_protocol
		581 |   vpc_id               = var.vpc_id
		582 |   deregistration_delay = var.target_group_deregistration_delay
		583 |   health_check {
		584 |     interval            = var.healthcheck_interval
		585 |     path                = var.healthcheck_path
		586 |     protocol            = var.healthcheck_protocol
		587 |     timeout             = var.healthcheck_timeout
		588 |     healthy_threshold   = var.healthcheck_healthy_threshold
		589 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		590 |   }
		591 |   stickiness {
		592 |     enabled         = var.stickiness_enabled
		593 |     type            = var.stickiness_type
		594 |     cookie_duration = var.stickiness_cookie_duration
		595 |   }
		596 | 
		597 |   tags = merge(
		598 |     var.tags,
		599 |     {
		600 |       Name = "${var.application_name}-alb-tg"
		601 |     },
		602 |   )
		603 | 
		604 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:658-668
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		658 | resource "aws_acm_certificate" "external_lb" {
		659 | 
		660 |   domain_name               = var.acm_cert_domain_name
		661 |   validation_method         = "DNS"
		662 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		663 |   tags                      = var.tags
		664 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		665 |   lifecycle {
		666 |     prevent_destroy = false
		667 |   }
		668 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 40:
  40: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-10-02T09:02:21Z	INFO	[db] Need to update DB
2024-10-02T09:02:21Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-02T09:02:21Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:f553baa9d0cf67d18f461a05cee7e67928461882a5bf62a140f9efa1dd07b3b7: TOOMANYREQUESTS: retry-after: 798.761µs, allowed: 44000/minute
trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 2, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-10-02T09:15:16Z INFO [db] Need to update DB
2024-10-02T09:15:16Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-02T09:15:19Z INFO [vuln] Vulnerability scanning is enabled
2024-10-02T09:15:19Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-02T09:15:19Z INFO Need to update the built-in policies
2024-10-02T09:15:19Z INFO Downloading the built-in policies...
2024-10-02T09:15:19Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/0: TOOMANYREQUESTS: retry-after: 848.233µs, allowed: 44000/minute\n\n"
2024-10-02T09:15:19Z INFO [secret] Secret scanning is enabled
2024-10-02T09:15:19Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-02T09:15:19Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-10-02T09:15:20Z WARN [rego] Module has no input selectors - it will be loaded for all inputs! file_path="lib/test/test.rego" module="lib/test/test.rego"
2024-10-02T09:15:20Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-02T09:15:20Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-10-02T09:15:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-02T09:15:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-02T09:15:21Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-10-02T09:15:21Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-10-02T09:15:21Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-10-02T09:15:21Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:231"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:242"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:242"
2024-10-02T09:15:22Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-02T09:15:23Z WARN [rego] Module has no input selectors - it will be loaded for all inputs! file_path="lib/test/test.rego" module="lib/test/test.rego"
2024-10-02T09:15:23Z INFO Number of language-specific files num=0
2024-10-02T09:15:23Z INFO Detected config files num=14

cloudfront.tf (terraform)

Tests: 17 (SUCCESSES: 13, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────

HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 15 (SUCCESSES: 8, FAILURES: 4, EXCEPTIONS: 3)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 = "0.0.0.0/0"
106 ip_protocol = "-1"
107 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 = "0.0.0.0/0"
106 ip_protocol = "-1"
107 }
────────────────────────────────────────

lambda.tf (terraform)

Tests: 57 (SUCCESSES: 7, FAILURES: 6, EXCEPTIONS: 44)
Failures: 6 (HIGH: 4, CRITICAL: 2)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

modules/alb/main.tf (terraform)

Tests: 10 (SUCCESSES: 6, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 35 (SUCCESSES: 2, FAILURES: 4, EXCEPTIONS: 29)
Failures: 4 (HIGH: 2, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 9 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

sns.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic" "apex" {
7 │ name = "${local.application_name}-${local.environment}-alerting-topic"
8 │ tags = merge(
9 │ local.tags,
10 │ {
11 │ Name = "${local.application_name}-${local.environment}-alerting-topic"
12 │ }
13 │ )
14 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic" "apex" {
7 │ name = "${local.application_name}-${local.environment}-alerting-topic"
8 │ tags = merge(
9 │ local.tags,
10 │ {
11 │ Name = "${local.application_name}-${local.environment}-alerting-topic"
12 │ }
13 │ )
14 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-02 09:15:26,460 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-02 09:15:26,460 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 345, Failed checks: 95, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:156-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		157 |   count  = local.environment == "production" ? 1 : 0
		158 |   bucket = aws_s3_bucket.cloudfront.id
		159 | 
		160 |   rule {
		161 |     id = "delete-after-90days"
		162 | 
		163 |     expiration {
		164 |       days = 90
		165 |     }
		166 | 
		167 |     noncurrent_version_expiration {
		168 |       newer_noncurrent_versions = 1
		169 |       noncurrent_days           = 90
		170 |     }
		171 | 
		172 |     status = "Enabled"
		173 |   }
		174 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		294 | resource "aws_acm_certificate" "cloudfront" {
		295 |   domain_name               = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
		296 |   validation_method         = "DNS"
		297 |   provider                  = aws.us-east-1
		298 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		299 |   tags                      = local.tags
		300 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		301 |   lifecycle {
		302 |     prevent_destroy = false
		303 |   }
		304 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |     )
		30 |   }
		31 | 
		32 |   tags = merge(
		33 |     local.tags,
		34 |     { "Name" = local.database_ec2_name },
		35 |     { "instance-scheduling" = "skip-scheduling" },
		36 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		37 |   )
		38 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:75-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		76 |   security_group_id            = aws_security_group.database.id
		77 |   description                  = "Allow Lambda SSH access for backup snapshots"
		78 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		79 |   from_port                    = 22
		80 |   ip_protocol                  = "tcp"
		81 |   to_port                      = 22
		82 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:103-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		104 |   security_group_id = aws_security_group.database.id
		105 |   cidr_ipv4         = "0.0.0.0/0"
		106 |   ip_protocol       = "-1"
		107 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:263-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		263 | resource "aws_cloudwatch_log_group" "database" {
		264 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		265 |   retention_in_days = 0
		266 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		267 |   tags = merge(
		268 |     local.tags,
		269 |     {
		270 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:288-298
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		288 | resource "aws_cloudwatch_log_group" "pmon_status" {
		289 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		290 |   retention_in_days = 0
		291 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		292 |   tags = merge(
		293 |     local.tags,
		294 |     {
		295 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |     }
		297 |   )
		298 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:577-604
	Calling File: /alb.tf:27-163

		577 | resource "aws_lb_target_group" "alb_target_group" {
		578 |   name                 = "${var.application_name}-alb-tg"
		579 |   port                 = var.target_group_port
		580 |   protocol             = var.target_group_protocol
		581 |   vpc_id               = var.vpc_id
		582 |   deregistration_delay = var.target_group_deregistration_delay
		583 |   health_check {
		584 |     interval            = var.healthcheck_interval
		585 |     path                = var.healthcheck_path
		586 |     protocol            = var.healthcheck_protocol
		587 |     timeout             = var.healthcheck_timeout
		588 |     healthy_threshold   = var.healthcheck_healthy_threshold
		589 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		590 |   }
		591 |   stickiness {
		592 |     enabled         = var.stickiness_enabled
		593 |     type            = var.stickiness_type
		594 |     cookie_duration = var.stickiness_cookie_duration
		595 |   }
		596 | 
		597 |   tags = merge(
		598 |     var.tags,
		599 |     {
		600 |       Name = "${var.application_name}-alb-tg"
		601 |     },
		602 |   )
		603 | 
		604 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:658-668
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		658 | resource "aws_acm_certificate" "external_lb" {
		659 | 
		660 |   domain_name               = var.acm_cert_domain_name
		661 |   validation_method         = "DNS"
		662 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		663 |   tags                      = var.tags
		664 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		665 |   lifecycle {
		666 |     prevent_destroy = false
		667 |   }
		668 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:124-179
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 40:
  40: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-10-02T09:15:16Z	INFO	[db] Need to update DB
2024-10-02T09:15:16Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-10-02T09:15:19Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-02T09:15:19Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-02T09:15:19Z	INFO	Need to update the built-in policies
2024-10-02T09:15:19Z	INFO	Downloading the built-in policies...
2024-10-02T09:15:19Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/0: TOOMANYREQUESTS: retry-after: 848.233µs, allowed: 44000/minute\n\n"
2024-10-02T09:15:19Z	INFO	[secret] Secret scanning is enabled
2024-10-02T09:15:19Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-02T09:15:19Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-10-02T09:15:20Z	WARN	[rego] Module has no input selectors - it will be loaded for all inputs!	file_path="lib/test/test.rego" module="lib/test/test.rego"
2024-10-02T09:15:20Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-02T09:15:20Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_set_descriptors" value="cty.NilVal"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-10-02T09:15:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.transition" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.principals" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.module.s3-bucket[0].dynamic.condition" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-02T09:15:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.apex-ecs.dynamic.tag" value="cty.NilVal"
2024-10-02T09:15:21Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-10-02T09:15:21Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-10-02T09:15:21Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-10-02T09:15:21Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:212-236"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:217-230"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:231"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:61-83"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:56-89"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="lambda.tf:84"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:453-461"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:447-466"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/ecs/main.tf:462"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:242"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:242"
2024-10-02T09:15:22Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:29-51"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:24-57"
2024-10-02T09:15:23Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="modules/lambdapolicy/main.tf:52"
2024-10-02T09:15:23Z	WARN	[rego] Module has no input selectors - it will be loaded for all inputs!	file_path="lib/test/test.rego" module="lib/test/test.rego"
2024-10-02T09:15:23Z	INFO	Number of language-specific files	num=0
2024-10-02T09:15:23Z	INFO	Detected config files	num=14

cloudfront.tf (terraform)
=========================
Tests: 17 (SUCCESSES: 13, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
		
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:243
   via cloudfront.tf:240-244 (viewer_certificate)
    via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 176   resource "aws_cloudfront_distribution" "external" {
 ...   
 243 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 266   }
────────────────────────────────────────


HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:243
   via cloudfront.tf:240-244 (viewer_certificate)
    via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 176   resource "aws_cloudfront_distribution" "external" {
 ...   
 243 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 266   }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:130-141
────────────────────────────────────────
 130resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 131 │   bucket = aws_s3_bucket.cloudfront.id
 132 │   rule {
 133 │     apply_server_side_encryption_by_default {
 134 │       sse_algorithm = "AES256"
 135 │     }
 136 │   }
 137# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 138 └   lifecycle {
 ...   
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:130-141
────────────────────────────────────────
 130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 131 │   bucket = aws_s3_bucket.cloudfront.id
 132 │   rule {
 133 │     apply_server_side_encryption_by_default {
 134 │       sse_algorithm = "AES256"
 135 │     }
 136 │   }
 137# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 138 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 15 (SUCCESSES: 8, FAILURES: 4, EXCEPTIONS: 3)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-38
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────


HIGH: Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-38
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ec2.tf:105
   via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
 103   resource "aws_vpc_security_group_egress_rule" "db_outbound" {
 104     security_group_id = aws_security_group.database.id
 105 [   cidr_ipv4         = "0.0.0.0/0"
 106     ip_protocol       = "-1"
 107   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.


See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ec2.tf:105
   via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
 103   resource "aws_vpc_security_group_egress_rule" "db_outbound" {
 104     security_group_id = aws_security_group.database.id
 105 [   cidr_ipv4         = "0.0.0.0/0"
 106     ip_protocol       = "-1"
 107   }
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 57 (SUCCESSES: 7, FAILURES: 6, EXCEPTIONS: 44)
Failures: 6 (HIGH: 4, CRITICAL: 2)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.


See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambda.tf:194
   via lambda.tf:189-195 (egress)
    via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
 184   resource "aws_security_group" "backup_lambda" {
 ...   
 194 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 201   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambda.tf:194
   via lambda.tf:189-195 (egress)
    via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
 184   resource "aws_security_group" "backup_lambda" {
 ...   
 194 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 201   }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



modules/alb/main.tf (terraform)
===============================
Tests: 10 (SUCCESSES: 6, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.


See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 modules/alb/main.tf:289
   via modules/alb/main.tf:284-291 (content)
    via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
     via modules/alb/main.tf:264-293 (aws_security_group.lb)
      via alb.tf:27-163 (module.alb)
────────────────────────────────────────
 264   resource "aws_security_group" "lb" {
 ...   
 289 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 293   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 modules/alb/main.tf:289
   via modules/alb/main.tf:284-291 (content)
    via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
     via modules/alb/main.tf:264-293 (aws_security_group.lb)
      via alb.tf:27-163 (module.alb)
────────────────────────────────────────
 264   resource "aws_security_group" "lb" {
 ...   
 289 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 293   }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 35 (SUCCESSES: 2, FAILURES: 4, EXCEPTIONS: 29)
Failures: 4 (HIGH: 2, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 modules/ecs/main.tf:85
   via modules/ecs/main.tf:80-87 (content)
    via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
     via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
      via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
  61   resource "aws_security_group" "cluster_ec2" {
  ..   
  85 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
  ..   
  96   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.


See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 modules/ecs/main.tf:85
   via modules/ecs/main.tf:80-87 (content)
    via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
     via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
      via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
  61   resource "aws_security_group" "cluster_ec2" {
  ..   
  85 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
  ..   
  96   }
────────────────────────────────────────


HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────


HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 9 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────



sns.tf (terraform)
==================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 sns.tf:6-14
────────────────────────────────────────
   6 ┌ resource "aws_sns_topic" "apex" {
   7 │   name = "${local.application_name}-${local.environment}-alerting-topic"
   8 │   tags = merge(
   9 │     local.tags,
  10 │     {
  11 │       Name = "${local.application_name}-${local.environment}-alerting-topic"
  12 │     }
  13 │   )
  14 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 sns.tf:6-14
────────────────────────────────────────
   6 ┌ resource "aws_sns_topic" "apex" {
   7 │   name = "${local.application_name}-${local.environment}-alerting-topic"
   8 │   tags = merge(
   9 │     local.tags,
  10 │     {
  11 │       Name = "${local.application_name}-${local.environment}-alerting-topic"
  12 │     }
  13 │   )
  14 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 merged commit 7a7b25b into main Oct 2, 2024
11 of 14 checks passed
@vc13837 vc13837 deleted the TM-522 branch October 2, 2024 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vladimir-kovalyov vladimir-kovalyov vladimir-kovalyov approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vc13837 @vladimir-kovalyov