Add get-schema endpoint

[MatMoore]

ministryofjustice/analytical-platform#1659

This PR adds the terraform to deploy the new get-schema lambda and the corresponding API gateway endpoint.

It should be able to log to S3 and cloudwatch, and access the metadata bucket.

Note: this is going to conflict with #3588

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/planetfm

*****************************

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.794527ms
  parsing              219.042617ms
  adaptation           144.203µs
  checks               8.406558ms
  total                229.387905ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     264
  files read           69

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 90, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.97449ms
  parsing              396.744886ms
  adaptation           371.198µs
  checks               22.960243ms
  total                422.050817ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     281
  files read           75

  results
  ──────────────────────────────────────────
  passed               37
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/modules/baseline_presets
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             370.098µs
  parsing              60.755185ms
  adaptation           82.2µs
  checks               7.28865ms
  total                68.496133ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     40
  files read           18

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 149, Failed checks: 0, Skipped checks: 22


checkov_exitcode=0

*****************************

Running Checkov in terraform/modules/baseline_presets

checkov_exitcode=0

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/baseline_presets
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 1:
   1: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

Warning: `ip_addresses` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 7:
   7: variable "ip_addresses" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             3.025819ms
  parsing              444.728948ms
  adaptation           1.074005ms
  checks               27.135343ms
  total                475.964115ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     281
  files read           75

  results
  ──────────────────────────────────────────
  passed               37
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

*****************************

Running TFSEC in terraform/modules/baseline_presets
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             647.901µs
  parsing              27.515646ms
  adaptation           123.7µs
  checks               14.838979ms
  total                43.126226ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     40
  files read           18

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 149, Failed checks: 0, Skipped checks: 22


checkov_exitcode=0

*****************************

Running Checkov in terraform/modules/baseline_presets

checkov_exitcode=0

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/baseline_presets
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 1:
   1: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

Warning: `ip_addresses` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 7:
   7: variable "ip_addresses" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

[github-actions]

TFSEC Scan Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/dacp

*****************************

Running TFSEC in terraform/environments/dacp
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  223  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-6 CRITICAL Security group rule allows ingress from public internet. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:19-34
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   19  ┌     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  │       "92.177.120.49/32",
   22  │       "194.33.196.0/25",
   23  │       "194.33.192.0/25",
   24  │       "52.67.148.55/32",
   25  └       "89.32.121.144/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-52 (aws_security_group.dacp_lb_sc) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:42
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   42  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:50
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   50  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "dacp_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:87
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   87  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   90    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #12-13 HIGH IAM policy document uses wildcarded action 'ecr:*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-148
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144  ┌            "Action": [
  145  │               "ecr:*",
  146  │               "logs:*",
  147  │               "secretsmanager:GetSecretValue"
  148  └            ],
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:135-155 (aws_iam_role_policy.app_execution) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:149
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  149  [            "Resource": "*",
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-18 HIGH IAM policy document uses wildcarded action 'logs:*' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:194-199
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  194  ┌         "Action": [
  195  │           "logs:*",
  196  │           "ecr:*",
  197  │           "iam:*",
  198  │           "ec2:*"
  199  └         ],
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:184-205 (aws_iam_role_policy.app_task) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH IAM policy document uses sensitive action 'logs:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  200  [        "Resource": "*"
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:108-116
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114      internal                   = false
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:114
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114  [   internal                   = false (false)
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #27 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:207-225
────────────────────────────────────────────────────────────────────────────────
  207  ┌ resource "aws_security_group" "ecs_service" {
  208  │   name_prefix = "ecs-service-sg-"
  209  │   vpc_id      = data.aws_vpc.shared.id
  210  │ 
  211  │   ingress {
  212  │     from_port       = 80
  213  │     to_port         = 80
  214  │     protocol        = "tcp"
  215  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:219-224
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  219  ┌   egress {
  220  │     from_port   = 0
  221  │     to_port     = 0
  222  │     protocol    = "-1"
  223  │     cidr_blocks = ["0.0.0.0/0"]
  224  └   }
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:15-35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   15  ┌   ingress {
   16  │     from_port = 443
   17  │     to_port   = 443
   18  │     protocol  = "tcp"
   19  │     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  └       "92.177.120.49/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:60-105
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_security_group" "lb_sc_pingdom" {
   55      name        = "load balancer Pingdom security group"
   56      description = "control Pingdom access to the load balancer"
   57      vpc_id      = data.aws_vpc.shared.id
   58    
   59      // Allow all European Pingdom IP addresses
   60  ┌   ingress {
   61  │     from_port = 443
   62  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #35 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             607.293µs
  parsing              2.581424882s
  adaptation           3.30067ms
  checks               43.893511ms
  total                2.629226356s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     181
  files read           24

  results
  ──────────────────────────────────────────
  passed               46
  ignored              29
  critical             11
  high                 14
  medium               2
  low                  8

  46 passed, 29 ignored, 35 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/dacp

*****************************

Running Checkov in terraform/environments/dacp
2023-10-17 11:47:02,585 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 65, Failed checks: 39, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name          = "bastion-example"
		11 |   bucket_versioning    = true
		12 |   bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.dacp_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.dacp_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "dacp_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.dacp_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.dacp_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.dacp_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.dacp_target_group.arn
		99  |     container_name   = "dacp-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:207-225
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		207 | resource "aws_security_group" "ecs_service" {
		208 |   name_prefix = "ecs-service-sg-"
		209 |   vpc_id      = data.aws_vpc.shared.id
		210 | 
		211 |   ingress {
		212 |     from_port       = 80
		213 |     to_port         = 80
		214 |     protocol        = "tcp"
		215 |     description     = "Allow traffic on port 80 from load balancer"
		216 |     security_groups = [aws_security_group.dacp_lb_sc.id]
		217 |   }
		218 | 
		219 |   egress {
		220 |     from_port   = 0
		221 |     to_port     = 0
		222 |     protocol    = "-1"
		223 |     cidr_blocks = ["0.0.0.0/0"]
		224 |   }
		225 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.dacp_lb_sc
	File: /load_balancer.tf:1-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:54-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.dacp_target_group
	File: /load_balancer.tf:118-140
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		118 | resource "aws_lb_target_group" "dacp_target_group" {
		119 |   name                 = "dacp-target-group"
		120 |   port                 = 80
		121 |   protocol             = "HTTP"
		122 |   vpc_id               = data.aws_vpc.shared.id
		123 |   target_type          = "ip"
		124 |   deregistration_delay = 30
		125 | 
		126 |   stickiness {
		127 |     type = "lb_cookie"
		128 |   }
		129 | 
		130 |   health_check {
		131 |     healthy_threshold   = "3"
		132 |     interval            = "30"
		133 |     protocol            = "HTTP"
		134 |     port                = "80"
		135 |     unhealthy_threshold = "5"
		136 |     matcher             = "200-302"
		137 |     timeout             = "10"
		138 |   }
		139 | 
		140 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/dacp

*****************************

Running tflint in terraform/environments/dacp
Excluding the following checks: terraform_unused_declarations
13 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 39:
  39:           value = "${aws_db_instance.dacp_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 47:
  47:           value = "${aws_db_instance.dacp_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 51:
  51:           value = "${aws_db_instance.dacp_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 55:
  55:           value = "${aws_db_instance.dacp_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 115:
 115:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/rds.tf line 120:
 120: resource "null_resource" "setup_source_rds_security_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 133:
 133:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/secrets.tf line 18:
  18:   secret_string = jsonencode({ "DACP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

[github-actions]

TFSEC Scan Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/dacp

*****************************

Running TFSEC in terraform/environments/dacp
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  223  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-6 CRITICAL Security group rule allows ingress from public internet. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:19-34
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   19  ┌     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  │       "92.177.120.49/32",
   22  │       "194.33.196.0/25",
   23  │       "194.33.192.0/25",
   24  │       "52.67.148.55/32",
   25  └       "89.32.121.144/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-52 (aws_security_group.dacp_lb_sc) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:42
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   42  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:50
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   50  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "dacp_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:87
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   87  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   90    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #12-13 HIGH IAM policy document uses wildcarded action 'ecr:*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-148
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144  ┌            "Action": [
  145  │               "ecr:*",
  146  │               "logs:*",
  147  │               "secretsmanager:GetSecretValue"
  148  └            ],
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:135-155 (aws_iam_role_policy.app_execution) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:149
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  149  [            "Resource": "*",
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-18 HIGH IAM policy document uses wildcarded action 'logs:*' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:194-199
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  194  ┌         "Action": [
  195  │           "logs:*",
  196  │           "ecr:*",
  197  │           "iam:*",
  198  │           "ec2:*"
  199  └         ],
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:184-205 (aws_iam_role_policy.app_task) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH IAM policy document uses sensitive action 'logs:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  200  [        "Resource": "*"
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:108-116
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114      internal                   = false
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:114
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114  [   internal                   = false (false)
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #27 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:207-225
────────────────────────────────────────────────────────────────────────────────
  207  ┌ resource "aws_security_group" "ecs_service" {
  208  │   name_prefix = "ecs-service-sg-"
  209  │   vpc_id      = data.aws_vpc.shared.id
  210  │ 
  211  │   ingress {
  212  │     from_port       = 80
  213  │     to_port         = 80
  214  │     protocol        = "tcp"
  215  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:219-224
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  219  ┌   egress {
  220  │     from_port   = 0
  221  │     to_port     = 0
  222  │     protocol    = "-1"
  223  │     cidr_blocks = ["0.0.0.0/0"]
  224  └   }
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:15-35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   15  ┌   ingress {
   16  │     from_port = 443
   17  │     to_port   = 443
   18  │     protocol  = "tcp"
   19  │     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  └       "92.177.120.49/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:60-105
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_security_group" "lb_sc_pingdom" {
   55      name        = "load balancer Pingdom security group"
   56      description = "control Pingdom access to the load balancer"
   57      vpc_id      = data.aws_vpc.shared.id
   58    
   59      // Allow all European Pingdom IP addresses
   60  ┌   ingress {
   61  │     from_port = 443
   62  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #35 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             576.399µs
  parsing              1.144470618s
  adaptation           3.687085ms
  checks               47.118907ms
  total                1.195853009s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     181
  files read           24

  results
  ──────────────────────────────────────────
  passed               46
  ignored              29
  critical             11
  high                 14
  medium               2
  low                  8

  46 passed, 29 ignored, 35 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/dacp

*****************************

Running Checkov in terraform/environments/dacp
2023-10-17 12:01:48,795 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 65, Failed checks: 39, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name          = "bastion-example"
		11 |   bucket_versioning    = true
		12 |   bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.dacp_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.dacp_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "dacp_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.dacp_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.dacp_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.dacp_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.dacp_target_group.arn
		99  |     container_name   = "dacp-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:207-225
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		207 | resource "aws_security_group" "ecs_service" {
		208 |   name_prefix = "ecs-service-sg-"
		209 |   vpc_id      = data.aws_vpc.shared.id
		210 | 
		211 |   ingress {
		212 |     from_port       = 80
		213 |     to_port         = 80
		214 |     protocol        = "tcp"
		215 |     description     = "Allow traffic on port 80 from load balancer"
		216 |     security_groups = [aws_security_group.dacp_lb_sc.id]
		217 |   }
		218 | 
		219 |   egress {
		220 |     from_port   = 0
		221 |     to_port     = 0
		222 |     protocol    = "-1"
		223 |     cidr_blocks = ["0.0.0.0/0"]
		224 |   }
		225 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.dacp_lb_sc
	File: /load_balancer.tf:1-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:54-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.dacp_target_group
	File: /load_balancer.tf:118-140
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		118 | resource "aws_lb_target_group" "dacp_target_group" {
		119 |   name                 = "dacp-target-group"
		120 |   port                 = 80
		121 |   protocol             = "HTTP"
		122 |   vpc_id               = data.aws_vpc.shared.id
		123 |   target_type          = "ip"
		124 |   deregistration_delay = 30
		125 | 
		126 |   stickiness {
		127 |     type = "lb_cookie"
		128 |   }
		129 | 
		130 |   health_check {
		131 |     healthy_threshold   = "3"
		132 |     interval            = "30"
		133 |     protocol            = "HTTP"
		134 |     port                = "80"
		135 |     unhealthy_threshold = "5"
		136 |     matcher             = "200-302"
		137 |     timeout             = "10"
		138 |   }
		139 | 
		140 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/dacp

*****************************

Running tflint in terraform/environments/dacp
Excluding the following checks: terraform_unused_declarations
13 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 39:
  39:           value = "${aws_db_instance.dacp_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 47:
  47:           value = "${aws_db_instance.dacp_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 51:
  51:           value = "${aws_db_instance.dacp_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 55:
  55:           value = "${aws_db_instance.dacp_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 115:
 115:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/rds.tf line 120:
 120: resource "null_resource" "setup_source_rds_security_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 133:
 133:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/secrets.tf line 18:
  18:   secret_string = jsonencode({ "DACP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

[github-actions]

TFSEC Scan Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/dacp

*****************************

Running TFSEC in terraform/environments/dacp
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  223  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-6 CRITICAL Security group rule allows ingress from public internet. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:19-34
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   19  ┌     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  │       "92.177.120.49/32",
   22  │       "194.33.196.0/25",
   23  │       "194.33.192.0/25",
   24  │       "52.67.148.55/32",
   25  └       "89.32.121.144/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-52 (aws_security_group.dacp_lb_sc) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:42
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   42  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:50
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   50  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "dacp_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:87
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   87  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   90    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #12-13 HIGH IAM policy document uses wildcarded action 'ecr:*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-148
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144  ┌            "Action": [
  145  │               "ecr:*",
  146  │               "logs:*",
  147  │               "secretsmanager:GetSecretValue"
  148  └            ],
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:135-155 (aws_iam_role_policy.app_execution) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:149
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  149  [            "Resource": "*",
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-18 HIGH IAM policy document uses wildcarded action 'logs:*' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:194-199
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  194  ┌         "Action": [
  195  │           "logs:*",
  196  │           "ecr:*",
  197  │           "iam:*",
  198  │           "ec2:*"
  199  └         ],
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:184-205 (aws_iam_role_policy.app_task) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH IAM policy document uses sensitive action 'logs:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  200  [        "Resource": "*"
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:108-116
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114      internal                   = false
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:114
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114  [   internal                   = false (false)
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #27 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:207-225
────────────────────────────────────────────────────────────────────────────────
  207  ┌ resource "aws_security_group" "ecs_service" {
  208  │   name_prefix = "ecs-service-sg-"
  209  │   vpc_id      = data.aws_vpc.shared.id
  210  │ 
  211  │   ingress {
  212  │     from_port       = 80
  213  │     to_port         = 80
  214  │     protocol        = "tcp"
  215  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:219-224
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  219  ┌   egress {
  220  │     from_port   = 0
  221  │     to_port     = 0
  222  │     protocol    = "-1"
  223  │     cidr_blocks = ["0.0.0.0/0"]
  224  └   }
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:15-35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   15  ┌   ingress {
   16  │     from_port = 443
   17  │     to_port   = 443
   18  │     protocol  = "tcp"
   19  │     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  └       "92.177.120.49/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:60-105
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_security_group" "lb_sc_pingdom" {
   55      name        = "load balancer Pingdom security group"
   56      description = "control Pingdom access to the load balancer"
   57      vpc_id      = data.aws_vpc.shared.id
   58    
   59      // Allow all European Pingdom IP addresses
   60  ┌   ingress {
   61  │     from_port = 443
   62  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #35 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             698.001µs
  parsing              1.204272122s
  adaptation           3.529502ms
  checks               48.591821ms
  total                1.257091446s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     181
  files read           24

  results
  ──────────────────────────────────────────
  passed               46
  ignored              29
  critical             11
  high                 14
  medium               2
  low                  8

  46 passed, 29 ignored, 35 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/dacp

*****************************

Running Checkov in terraform/environments/dacp
2023-10-17 12:55:49,279 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 65, Failed checks: 39, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name          = "bastion-example"
		11 |   bucket_versioning    = true
		12 |   bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.dacp_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.dacp_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "dacp_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.dacp_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.dacp_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.dacp_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.dacp_target_group.arn
		99  |     container_name   = "dacp-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:207-225
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		207 | resource "aws_security_group" "ecs_service" {
		208 |   name_prefix = "ecs-service-sg-"
		209 |   vpc_id      = data.aws_vpc.shared.id
		210 | 
		211 |   ingress {
		212 |     from_port       = 80
		213 |     to_port         = 80
		214 |     protocol        = "tcp"
		215 |     description     = "Allow traffic on port 80 from load balancer"
		216 |     security_groups = [aws_security_group.dacp_lb_sc.id]
		217 |   }
		218 | 
		219 |   egress {
		220 |     from_port   = 0
		221 |     to_port     = 0
		222 |     protocol    = "-1"
		223 |     cidr_blocks = ["0.0.0.0/0"]
		224 |   }
		225 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.dacp_lb_sc
	File: /load_balancer.tf:1-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:54-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.dacp_target_group
	File: /load_balancer.tf:118-140
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		118 | resource "aws_lb_target_group" "dacp_target_group" {
		119 |   name                 = "dacp-target-group"
		120 |   port                 = 80
		121 |   protocol             = "HTTP"
		122 |   vpc_id               = data.aws_vpc.shared.id
		123 |   target_type          = "ip"
		124 |   deregistration_delay = 30
		125 | 
		126 |   stickiness {
		127 |     type = "lb_cookie"
		128 |   }
		129 | 
		130 |   health_check {
		131 |     healthy_threshold   = "3"
		132 |     interval            = "30"
		133 |     protocol            = "HTTP"
		134 |     port                = "80"
		135 |     unhealthy_threshold = "5"
		136 |     matcher             = "200-302"
		137 |     timeout             = "10"
		138 |   }
		139 | 
		140 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/dacp

*****************************

Running tflint in terraform/environments/dacp
Excluding the following checks: terraform_unused_declarations
13 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 39:
  39:           value = "${aws_db_instance.dacp_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 47:
  47:           value = "${aws_db_instance.dacp_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 51:
  51:           value = "${aws_db_instance.dacp_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 55:
  55:           value = "${aws_db_instance.dacp_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 115:
 115:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/rds.tf line 120:
 120: resource "null_resource" "setup_source_rds_security_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 133:
 133:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/secrets.tf line 18:
  18:   secret_string = jsonencode({ "DACP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

[github-actions]

TFSEC Scan Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/dacp

*****************************

Running TFSEC in terraform/environments/dacp
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  223  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-6 CRITICAL Security group rule allows ingress from public internet. (5 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:19-34
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   19  ┌     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  │       "92.177.120.49/32",
   22  │       "194.33.196.0/25",
   23  │       "194.33.192.0/25",
   24  │       "52.67.148.55/32",
   25  └       "89.32.121.144/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-52 (aws_security_group.dacp_lb_sc) 5 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:42
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   42  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:50
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   50  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "dacp_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:87
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   87  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   90    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #12-13 HIGH IAM policy document uses wildcarded action 'ecr:*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-148
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144  ┌            "Action": [
  145  │               "ecr:*",
  146  │               "logs:*",
  147  │               "secretsmanager:GetSecretValue"
  148  └            ],
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:135-155 (aws_iam_role_policy.app_execution) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:149
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  149  [            "Resource": "*",
  ...  
  155    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-18 HIGH IAM policy document uses wildcarded action 'logs:*' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:194-199
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  194  ┌         "Action": [
  195  │           "logs:*",
  196  │           "ecr:*",
  197  │           "iam:*",
  198  │           "ec2:*"
  199  └         ],
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:184-205 (aws_iam_role_policy.app_task) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH IAM policy document uses sensitive action 'logs:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_iam_role_policy" "app_task" {
  ...  
  200  [        "Resource": "*"
  ...  
  205    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:108-116
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114      internal                   = false
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:114
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_lb" "dacp_lb" {
  109      name                       = "dacp-load-balancer"
  110      load_balancer_type         = "application"
  111      security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  112      subnets                    = data.aws_subnets.shared-public.ids
  113      enable_deletion_protection = false
  114  [   internal                   = false (false)
  115      depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
  116    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #25 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #27 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:207-225
────────────────────────────────────────────────────────────────────────────────
  207  ┌ resource "aws_security_group" "ecs_service" {
  208  │   name_prefix = "ecs-service-sg-"
  209  │   vpc_id      = data.aws_vpc.shared.id
  210  │ 
  211  │   ingress {
  212  │     from_port       = 80
  213  │     to_port         = 80
  214  │     protocol        = "tcp"
  215  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:219-224
────────────────────────────────────────────────────────────────────────────────
  207    resource "aws_security_group" "ecs_service" {
  ...  
  219  ┌   egress {
  220  │     from_port   = 0
  221  │     to_port     = 0
  222  │     protocol    = "-1"
  223  │     cidr_blocks = ["0.0.0.0/0"]
  224  └   }
  225    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227-230
────────────────────────────────────────────────────────────────────────────────
  227    resource "aws_ecr_repository" "dacp_ecr_repo" {
  228      name         = "dacp-ecr-repo"
  229      force_delete = true
  230    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:15-35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "dacp_lb_sc" {
    .  
   15  ┌   ingress {
   16  │     from_port = 443
   17  │     to_port   = 443
   18  │     protocol  = "tcp"
   19  │     cidr_blocks = [
   20  │       "179.50.12.212/32",
   21  └       "92.177.120.49/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:60-105
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_security_group" "lb_sc_pingdom" {
   55      name        = "load balancer Pingdom security group"
   56      description = "control Pingdom access to the load balancer"
   57      vpc_id      = data.aws_vpc.shared.id
   58    
   59      // Allow all European Pingdom IP addresses
   60  ┌   ingress {
   61  │     from_port = 443
   62  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "dacp_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #35 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_dacp_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.803697ms
  parsing              2.206966676s
  adaptation           4.229426ms
  checks               63.274686ms
  total                2.276274485s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     181
  files read           24

  results
  ──────────────────────────────────────────
  passed               46
  ignored              29
  critical             11
  high                 14
  medium               2
  low                  8

  46 passed, 29 ignored, 35 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/dacp

*****************************

Running Checkov in terraform/environments/dacp
2023-10-17 13:11:57,704 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 65, Failed checks: 39, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-31
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name          = "bastion-example"
		11 |   bucket_versioning    = true
		12 |   bucket_force_destroy = true
		13 |   # public keys
		14 |   public_key_data = local.public_key_data.keys[local.environment]
		15 |   # logs
		16 |   log_auto_clean       = "Enabled"
		17 |   log_standard_ia_days = 30  # days before moving to IA storage
		18 |   log_glacier_days     = 60  # days before moving to Glacier
		19 |   log_expiry_days      = 180 # days before log expiration
		20 |   # bastion
		21 |   allow_ssh_commands = false
		22 |   app_name           = var.networking[0].application
		23 |   business_unit      = local.vpc_name
		24 |   subnet_set         = local.subnet_set
		25 |   environment        = local.environment
		26 |   region             = "eu-west-2"
		27 | 
		28 |   # Tags
		29 |   tags_common = local.tags
		30 |   tags_prefix = terraform.workspace
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.dacp_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.dacp_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "dacp_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.dacp_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.dacp_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.dacp_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.dacp_target_group.arn
		99  |     container_name   = "dacp-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-155

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:*",
		147 |               "secretsmanager:GetSecretValue"
		148 |            ],
		149 |            "Resource": "*",
		150 |            "Effect": "Allow"
		151 |       }
		152 |     ]
		153 |   }
		154 |   EOF
		155 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:207-225
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		207 | resource "aws_security_group" "ecs_service" {
		208 |   name_prefix = "ecs-service-sg-"
		209 |   vpc_id      = data.aws_vpc.shared.id
		210 | 
		211 |   ingress {
		212 |     from_port       = 80
		213 |     to_port         = 80
		214 |     protocol        = "tcp"
		215 |     description     = "Allow traffic on port 80 from load balancer"
		216 |     security_groups = [aws_security_group.dacp_lb_sc.id]
		217 |   }
		218 | 
		219 |   egress {
		220 |     from_port   = 0
		221 |     to_port     = 0
		222 |     protocol    = "-1"
		223 |     cidr_blocks = ["0.0.0.0/0"]
		224 |   }
		225 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.dacp_ecr_repo
	File: /ecs.tf:227-230
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		227 | resource "aws_ecr_repository" "dacp_ecr_repo" {
		228 |   name         = "dacp-ecr-repo"
		229 |   force_delete = true
		230 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.dacp_lb_sc
	File: /load_balancer.tf:1-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:54-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.dacp_target_group
	File: /load_balancer.tf:118-140
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		118 | resource "aws_lb_target_group" "dacp_target_group" {
		119 |   name                 = "dacp-target-group"
		120 |   port                 = 80
		121 |   protocol             = "HTTP"
		122 |   vpc_id               = data.aws_vpc.shared.id
		123 |   target_type          = "ip"
		124 |   deregistration_delay = 30
		125 | 
		126 |   stickiness {
		127 |     type = "lb_cookie"
		128 |   }
		129 | 
		130 |   health_check {
		131 |     healthy_threshold   = "3"
		132 |     interval            = "30"
		133 |     protocol            = "HTTP"
		134 |     port                = "80"
		135 |     unhealthy_threshold = "5"
		136 |     matcher             = "200-302"
		137 |     timeout             = "10"
		138 |   }
		139 | 
		140 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.dacp_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "dacp_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.dacp_lb
	File: /load_balancer.tf:108-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		108 | resource "aws_lb" "dacp_lb" {
		109 |   name                       = "dacp-load-balancer"
		110 |   load_balancer_type         = "application"
		111 |   security_groups            = [aws_security_group.dacp_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		112 |   subnets                    = data.aws_subnets.shared-public.ids
		113 |   enable_deletion_protection = false
		114 |   internal                   = false
		115 |   depends_on                 = [aws_security_group.dacp_lb_sc, aws_security_group.lb_sc_pingdom]
		116 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_dacp_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_dacp_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_dacp_access-${local.environment}"
		27 |   description = "Allow dacp on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow dacp on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:184-205

		184 | resource "aws_iam_role_policy" "app_task" {
		185 |   name = "task-${var.networking[0].application}"
		186 |   role = aws_iam_role.app_task.id
		187 | 
		188 |   policy = <<-EOF
		189 |   {
		190 |    "Version": "2012-10-17",
		191 |    "Statement": [
		192 |      {
		193 |        "Effect": "Allow",
		194 |         "Action": [
		195 |           "logs:*",
		196 |           "ecr:*",
		197 |           "iam:*",
		198 |           "ec2:*"
		199 |         ],
		200 |        "Resource": "*"
		201 |      }
		202 |    ]
		203 |   }
		204 |   EOF
		205 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/dacp

*****************************

Running tflint in terraform/environments/dacp
Excluding the following checks: terraform_unused_declarations
13 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 39:
  39:           value = "${aws_db_instance.dacp_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 47:
  47:           value = "${aws_db_instance.dacp_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 51:
  51:           value = "${aws_db_instance.dacp_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 55:
  55:           value = "${aws_db_instance.dacp_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 115:
 115:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/rds.tf line 120:
 120: resource "null_resource" "setup_source_rds_security_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/rds.tf line 133:
 133:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/dacp/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/dacp/secrets.tf line 18:
  18:   secret_string = jsonencode({ "DACP_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2