Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-536, updating APEX WAF from Classic to new WAFv2 #9198

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

TM-536, updating APEX WAF from Classic to new WAFv2 #9198

wants to merge 8 commits into from

Conversation

mnasr-moj
Copy link
Contributor

No description provided.

@mnasr-moj mnasr-moj requested review from a team as code owners December 30, 2024 16:33
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 30, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-30T16:35:11Z INFO [vulndb] Need to update DB
2024-12-30T16:35:11Z INFO [vulndb] Downloading vulnerability DB...
2024-12-30T16:35:11Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:35:13Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:35:13Z INFO [vuln] Vulnerability scanning is enabled
2024-12-30T16:35:13Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-30T16:35:13Z INFO [misconfig] Need to update the built-in checks
2024-12-30T16:35:13Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-30T16:35:13Z INFO [secret] Secret scanning is enabled
2024-12-30T16:35:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:35:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:35:15Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-30T16:35:15Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:35:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:35:15Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-30T16:35:15Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:35:15Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-30T16:35:15Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:35:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:35:17Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:35:17Z INFO Number of language-specific files num=0
2024-12-30T16:35:17Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-30 16:35:19,581 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-30 16:35:19,581 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual_rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)} Whitelisting Requesters"
		125 |   }
		126 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual_rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)} Whitelisting Requesters"
		125 |   }
		126 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-30T16:35:11Z	INFO	[vulndb] Need to update DB
2024-12-30T16:35:11Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-30T16:35:11Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:35:13Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:35:13Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-30T16:35:13Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-30T16:35:13Z	INFO	[misconfig] Need to update the built-in checks
2024-12-30T16:35:13Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-30T16:35:13Z	INFO	[secret] Secret scanning is enabled
2024-12-30T16:35:13Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:35:13Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:35:15Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-30T16:35:15Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:35:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:35:15Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-30T16:35:15Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:35:15Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-30T16:35:15Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:35:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:35:17Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:35:17Z	INFO	Number of language-specific files	num=0
2024-12-30T16:35:17Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-30T16:41:27Z INFO [vulndb] Need to update DB
2024-12-30T16:41:27Z INFO [vulndb] Downloading vulnerability DB...
2024-12-30T16:41:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:41:29Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:41:29Z INFO [vuln] Vulnerability scanning is enabled
2024-12-30T16:41:29Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-30T16:41:29Z INFO [misconfig] Need to update the built-in checks
2024-12-30T16:41:29Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-30T16:41:30Z INFO [secret] Secret scanning is enabled
2024-12-30T16:41:30Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:41:30Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:41:32Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-30T16:41:32Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-30T16:41:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:41:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:41:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:41:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:41:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:41:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:41:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:41:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:41:33Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-30T16:41:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:41:33Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-30T16:41:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:41:34Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:41:34Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:41:35Z INFO Number of language-specific files num=0
2024-12-30T16:41:35Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-30 16:41:38,046 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-30 16:41:38,047 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual_rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)} Whitelisting Requesters"
		125 |   }
		126 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual_rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)} Whitelisting Requesters"
		125 |   }
		126 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-30T16:41:27Z	INFO	[vulndb] Need to update DB
2024-12-30T16:41:27Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-30T16:41:27Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:41:29Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:41:29Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-30T16:41:29Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-30T16:41:29Z	INFO	[misconfig] Need to update the built-in checks
2024-12-30T16:41:29Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-30T16:41:30Z	INFO	[secret] Secret scanning is enabled
2024-12-30T16:41:30Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:41:30Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:41:32Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-30T16:41:32Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-30T16:41:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:41:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:41:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:41:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:41:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:41:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:41:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:41:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:41:33Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-30T16:41:33Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:41:33Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-30T16:41:33Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:41:34Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:41:34Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:41:35Z	INFO	Number of language-specific files	num=0
2024-12-30T16:41:35Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-30T16:53:36Z INFO [vulndb] Need to update DB
2024-12-30T16:53:36Z INFO [vulndb] Downloading vulnerability DB...
2024-12-30T16:53:36Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:53:38Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:53:38Z INFO [vuln] Vulnerability scanning is enabled
2024-12-30T16:53:38Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-30T16:53:38Z INFO [misconfig] Need to update the built-in checks
2024-12-30T16:53:38Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-30T16:53:39Z INFO [secret] Secret scanning is enabled
2024-12-30T16:53:39Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:53:39Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:53:40Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-30T16:53:40Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:53:40Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:53:41Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-30T16:53:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:53:41Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-30T16:53:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:53:42Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:53:42Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:53:42Z INFO Number of language-specific files num=0
2024-12-30T16:53:42Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-30 16:53:45,377 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-30 16:53:45,377 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual-rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)} Whitelisting Requesters"
		125 |   }
		126 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual-rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)} Whitelisting Requesters"
		125 |   }
		126 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-30T16:53:36Z	INFO	[vulndb] Need to update DB
2024-12-30T16:53:36Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-30T16:53:36Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:53:38Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:53:38Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-30T16:53:38Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-30T16:53:38Z	INFO	[misconfig] Need to update the built-in checks
2024-12-30T16:53:38Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-30T16:53:39Z	INFO	[secret] Secret scanning is enabled
2024-12-30T16:53:39Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:53:39Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:53:40Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-30T16:53:40Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:53:40Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:53:41Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-30T16:53:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:53:41Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-30T16:53:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:53:42Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:53:42Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:53:42Z	INFO	Number of language-specific files	num=0
2024-12-30T16:53:42Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-30T16:56:44Z INFO [vulndb] Need to update DB
2024-12-30T16:56:44Z INFO [vulndb] Downloading vulnerability DB...
2024-12-30T16:56:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:56:47Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:56:47Z INFO [vuln] Vulnerability scanning is enabled
2024-12-30T16:56:47Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-30T16:56:47Z INFO [misconfig] Need to update the built-in checks
2024-12-30T16:56:47Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-30T16:56:47Z INFO [secret] Secret scanning is enabled
2024-12-30T16:56:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:56:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:56:48Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-30T16:56:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:56:49Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:56:49Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-30T16:56:49Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:56:49Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-30T16:56:49Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-30T16:56:51Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:56:51Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:56:51Z INFO Number of language-specific files num=0
2024-12-30T16:56:51Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-30 16:56:53,666 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-30 16:56:53,666 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual-rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		125 |   }
		126 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:91-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		91  | resource "aws_wafv2_web_acl" "waf_acl" {
		92  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		93  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		94  |   description = "Web ACL for ${local.application_name}"
		95  | 
		96  |   default_action {
		97  |     block {}
		98  |   }
		99  | 
		100 |   rule {
		101 |     name     = "ManualAllowBlockRules"
		102 |     priority = 1
		103 | 
		104 |     statement {
		105 |       rule_group_reference_statement {
		106 |         arn = aws_wafv2_rule_group.manual-rules.arn
		107 |       }
		108 |     }
		109 | 
		110 |     override_action {
		111 |       none {}
		112 |     }
		113 | 
		114 |     visibility_config {
		115 |       sampled_requests_enabled   = true
		116 |       cloudwatch_metrics_enabled = true
		117 |       metric_name                = "ManualAllowBlockRules"
		118 |     }
		119 |   }
		120 | 
		121 |   visibility_config {
		122 |     sampled_requests_enabled   = true
		123 |     cloudwatch_metrics_enabled = true
		124 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		125 |   }
		126 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-30T16:56:44Z	INFO	[vulndb] Need to update DB
2024-12-30T16:56:44Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-30T16:56:44Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:56:47Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-30T16:56:47Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-30T16:56:47Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-30T16:56:47Z	INFO	[misconfig] Need to update the built-in checks
2024-12-30T16:56:47Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-30T16:56:47Z	INFO	[secret] Secret scanning is enabled
2024-12-30T16:56:47Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-30T16:56:47Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-30T16:56:48Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-30T16:56:48Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:56:49Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-30T16:56:49Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-30T16:56:49Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:56:49Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-30T16:56:49Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-30T16:56:51Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-30T16:56:51Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-30T16:56:51Z	INFO	Number of language-specific files	num=0
2024-12-30T16:56:51Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-31T11:09:44Z INFO [vulndb] Need to update DB
2024-12-31T11:09:44Z INFO [vulndb] Downloading vulnerability DB...
2024-12-31T11:09:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:09:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:09:46Z INFO [vuln] Vulnerability scanning is enabled
2024-12-31T11:09:46Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-31T11:09:46Z INFO [misconfig] Need to update the built-in checks
2024-12-31T11:09:46Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-31T11:09:47Z INFO [secret] Secret scanning is enabled
2024-12-31T11:09:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T11:09:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T11:09:48Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-31T11:09:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-31T11:09:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T11:09:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T11:09:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T11:09:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T11:09:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T11:09:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T11:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:09:50Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-31T11:09:50Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T11:09:50Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-31T11:09:50Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T11:09:51Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T11:09:51Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T11:09:52Z INFO Number of language-specific files num=0
2024-12-31T11:09:52Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-31 11:09:54,804 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-31 11:09:54,804 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:93-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		93  | resource "aws_wafv2_web_acl" "waf_acl" {
		94  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		95  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		96  |   description = "Web ACL for ${local.application_name}"
		97  | 
		98  |   default_action {
		99  |     block {}
		100 |   }
		101 | 
		102 |   rule {
		103 |     name     = "ManualAllowBlockRules"
		104 |     priority = 1
		105 | 
		106 |     statement {
		107 |       rule_group_reference_statement {
		108 |         arn = aws_wafv2_rule_group.manual-rules.arn
		109 |       }
		110 |     }
		111 | 
		112 |     override_action {
		113 |       none {}
		114 |     }
		115 | 
		116 |     visibility_config {
		117 |       sampled_requests_enabled   = true
		118 |       cloudwatch_metrics_enabled = true
		119 |       metric_name                = "ManualAllowBlockRules"
		120 |     }
		121 |   }
		122 | 
		123 |   visibility_config {
		124 |     sampled_requests_enabled   = true
		125 |     cloudwatch_metrics_enabled = true
		126 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		127 |   }
		128 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:93-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		93  | resource "aws_wafv2_web_acl" "waf_acl" {
		94  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		95  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		96  |   description = "Web ACL for ${local.application_name}"
		97  | 
		98  |   default_action {
		99  |     block {}
		100 |   }
		101 | 
		102 |   rule {
		103 |     name     = "ManualAllowBlockRules"
		104 |     priority = 1
		105 | 
		106 |     statement {
		107 |       rule_group_reference_statement {
		108 |         arn = aws_wafv2_rule_group.manual-rules.arn
		109 |       }
		110 |     }
		111 | 
		112 |     override_action {
		113 |       none {}
		114 |     }
		115 | 
		116 |     visibility_config {
		117 |       sampled_requests_enabled   = true
		118 |       cloudwatch_metrics_enabled = true
		119 |       metric_name                = "ManualAllowBlockRules"
		120 |     }
		121 |   }
		122 | 
		123 |   visibility_config {
		124 |     sampled_requests_enabled   = true
		125 |     cloudwatch_metrics_enabled = true
		126 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		127 |   }
		128 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-31T11:09:44Z	INFO	[vulndb] Need to update DB
2024-12-31T11:09:44Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-31T11:09:44Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:09:46Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:09:46Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-31T11:09:46Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-31T11:09:46Z	INFO	[misconfig] Need to update the built-in checks
2024-12-31T11:09:46Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-31T11:09:47Z	INFO	[secret] Secret scanning is enabled
2024-12-31T11:09:47Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T11:09:47Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T11:09:48Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-31T11:09:48Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-31T11:09:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T11:09:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T11:09:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T11:09:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T11:09:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T11:09:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T11:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:09:50Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-31T11:09:50Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T11:09:50Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-31T11:09:50Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T11:09:51Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T11:09:51Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T11:09:52Z	INFO	Number of language-specific files	num=0
2024-12-31T11:09:52Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-31T11:28:20Z INFO [vulndb] Need to update DB
2024-12-31T11:28:20Z INFO [vulndb] Downloading vulnerability DB...
2024-12-31T11:28:20Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:28:23Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:28:23Z INFO [vuln] Vulnerability scanning is enabled
2024-12-31T11:28:23Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-31T11:28:23Z INFO [misconfig] Need to update the built-in checks
2024-12-31T11:28:23Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-31T11:28:23Z INFO [secret] Secret scanning is enabled
2024-12-31T11:28:23Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T11:28:23Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T11:28:24Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-31T11:28:24Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-31T11:28:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T11:28:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T11:28:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T11:28:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T11:28:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T11:28:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T11:28:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:28:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:28:25Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-31T11:28:25Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T11:28:25Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-31T11:28:25Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T11:28:26Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T11:28:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T11:28:27Z INFO Number of language-specific files num=0
2024-12-31T11:28:27Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-31 11:28:30,237 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-31 11:28:30,237 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		97  |   description = "Web ACL for ${local.application_name}"
		98  | 
		99  |   default_action {
		100 |     block {}
		101 |   }
		102 | 
		103 |   rule {
		104 |     name     = "ManualAllowBlockRules"
		105 |     priority = 1
		106 | 
		107 |     statement {
		108 |       rule_group_reference_statement {
		109 |         arn = aws_wafv2_rule_group.manual-rules.arn
		110 |       }
		111 |     }
		112 | 
		113 |     override_action {
		114 |       none {}
		115 |     }
		116 | 
		117 |     visibility_config {
		118 |       sampled_requests_enabled   = true
		119 |       cloudwatch_metrics_enabled = true
		120 |       metric_name                = "ManualAllowBlockRules"
		121 |     }
		122 |   }
		123 | 
		124 |   visibility_config {
		125 |     sampled_requests_enabled   = true
		126 |     cloudwatch_metrics_enabled = true
		127 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		128 |   }
		129 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		97  |   description = "Web ACL for ${local.application_name}"
		98  | 
		99  |   default_action {
		100 |     block {}
		101 |   }
		102 | 
		103 |   rule {
		104 |     name     = "ManualAllowBlockRules"
		105 |     priority = 1
		106 | 
		107 |     statement {
		108 |       rule_group_reference_statement {
		109 |         arn = aws_wafv2_rule_group.manual-rules.arn
		110 |       }
		111 |     }
		112 | 
		113 |     override_action {
		114 |       none {}
		115 |     }
		116 | 
		117 |     visibility_config {
		118 |       sampled_requests_enabled   = true
		119 |       cloudwatch_metrics_enabled = true
		120 |       metric_name                = "ManualAllowBlockRules"
		121 |     }
		122 |   }
		123 | 
		124 |   visibility_config {
		125 |     sampled_requests_enabled   = true
		126 |     cloudwatch_metrics_enabled = true
		127 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		128 |   }
		129 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-31T11:28:20Z	INFO	[vulndb] Need to update DB
2024-12-31T11:28:20Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-31T11:28:20Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:28:23Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:28:23Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-31T11:28:23Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-31T11:28:23Z	INFO	[misconfig] Need to update the built-in checks
2024-12-31T11:28:23Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-31T11:28:23Z	INFO	[secret] Secret scanning is enabled
2024-12-31T11:28:23Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T11:28:23Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T11:28:24Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-31T11:28:24Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-31T11:28:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T11:28:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T11:28:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T11:28:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T11:28:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T11:28:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T11:28:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:28:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:28:25Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-31T11:28:25Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T11:28:25Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-31T11:28:25Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T11:28:26Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T11:28:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T11:28:27Z	INFO	Number of language-specific files	num=0
2024-12-31T11:28:27Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-31T11:48:49Z INFO [vulndb] Need to update DB
2024-12-31T11:48:49Z INFO [vulndb] Downloading vulnerability DB...
2024-12-31T11:48:49Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:48:51Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:48:51Z INFO [vuln] Vulnerability scanning is enabled
2024-12-31T11:48:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-31T11:48:51Z INFO [misconfig] Need to update the built-in checks
2024-12-31T11:48:51Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-31T11:48:51Z INFO [secret] Secret scanning is enabled
2024-12-31T11:48:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T11:48:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T11:48:53Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-31T11:48:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-31T11:48:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T11:48:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T11:48:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T11:48:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T11:48:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T11:48:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T11:48:55Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:48:55Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:48:55Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-31T11:48:55Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T11:48:55Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-31T11:48:55Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T11:48:56Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T11:48:56Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T11:48:56Z INFO Number of language-specific files num=0
2024-12-31T11:48:56Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-31 11:48:59,685 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-31 11:48:59,685 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  | 
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 | 
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 | 
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 | 
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 | 
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 | 
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  | 
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 | 
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 | 
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 | 
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 | 
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 | 
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-31T11:48:49Z	INFO	[vulndb] Need to update DB
2024-12-31T11:48:49Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-31T11:48:49Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:48:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T11:48:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-31T11:48:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-31T11:48:51Z	INFO	[misconfig] Need to update the built-in checks
2024-12-31T11:48:51Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-31T11:48:51Z	INFO	[secret] Secret scanning is enabled
2024-12-31T11:48:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T11:48:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T11:48:53Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-31T11:48:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-31T11:48:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T11:48:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T11:48:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T11:48:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T11:48:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T11:48:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T11:48:55Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:48:55Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T11:48:55Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-31T11:48:55Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T11:48:55Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-31T11:48:55Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T11:48:56Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T11:48:56Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T11:48:56Z	INFO	Number of language-specific files	num=0
2024-12-31T11:48:56Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-31T12:46:29Z INFO [vulndb] Need to update DB
2024-12-31T12:46:29Z INFO [vulndb] Downloading vulnerability DB...
2024-12-31T12:46:29Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T12:46:31Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T12:46:31Z INFO [vuln] Vulnerability scanning is enabled
2024-12-31T12:46:31Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-31T12:46:31Z INFO [misconfig] Need to update the built-in checks
2024-12-31T12:46:31Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-31T12:46:32Z INFO [secret] Secret scanning is enabled
2024-12-31T12:46:32Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T12:46:32Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T12:46:33Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-31T12:46:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-31T12:46:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T12:46:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T12:46:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T12:46:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T12:46:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T12:46:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T12:46:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T12:46:34Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T12:46:34Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-31T12:46:34Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T12:46:34Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-31T12:46:34Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-31T12:46:36Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T12:46:36Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T12:46:36Z INFO Number of language-specific files num=0
2024-12-31T12:46:36Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-31 12:46:39,704 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-31 12:46:39,704 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "prod_apex" {
		7  |   count = local.environment == "production" ? 1 : 0
		8  |   name  = "${local.application_name}-production-backup-vault"
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}-production-backup-vault" },
		12 |   )
		13 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  | 
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 | 
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 | 
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 | 
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 | 
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 | 
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf.tf:94-130
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		94  | resource "aws_wafv2_web_acl" "waf_acl" {
		95  |   name        = "${upper(local.application_name)}-Whitelisting-Requesters"
		96  |   provider    = aws.us-east-1
		97  |   scope       = "CLOUDFRONT" # Use "CLOUDFRONT" for CloudFront
		98  |   description = "Web ACL for ${local.application_name}"
		99  | 
		100 |   default_action {
		101 |     block {}
		102 |   }
		103 | 
		104 |   rule {
		105 |     name     = "ManualAllowBlockRules"
		106 |     priority = 1
		107 | 
		108 |     statement {
		109 |       rule_group_reference_statement {
		110 |         arn = aws_wafv2_rule_group.manual-rules.arn
		111 |       }
		112 |     }
		113 | 
		114 |     override_action {
		115 |       none {}
		116 |     }
		117 | 
		118 |     visibility_config {
		119 |       sampled_requests_enabled   = true
		120 |       cloudwatch_metrics_enabled = true
		121 |       metric_name                = "ManualAllowBlockRules"
		122 |     }
		123 |   }
		124 | 
		125 |   visibility_config {
		126 |     sampled_requests_enabled   = true
		127 |     cloudwatch_metrics_enabled = true
		128 |     metric_name                = "${upper(local.application_name)}-Whitelisting-Requesters"
		129 |   }
		130 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-31T12:46:29Z	INFO	[vulndb] Need to update DB
2024-12-31T12:46:29Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-31T12:46:29Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T12:46:31Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-31T12:46:31Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-31T12:46:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-31T12:46:31Z	INFO	[misconfig] Need to update the built-in checks
2024-12-31T12:46:31Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-31T12:46:32Z	INFO	[secret] Secret scanning is enabled
2024-12-31T12:46:32Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-31T12:46:32Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-31T12:46:33Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-31T12:46:33Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-31T12:46:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-31T12:46:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-31T12:46:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-31T12:46:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-31T12:46:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-31T12:46:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-31T12:46:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T12:46:34Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-31T12:46:34Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-31T12:46:34Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T12:46:34Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-31T12:46:34Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-31T12:46:36Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-31T12:46:36Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-31T12:46:36Z	INFO	Number of language-specific files	num=0
2024-12-31T12:46:36Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mnasr-moj