Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add secret to hold XP Ingest LB root CA certificate data #8252

Merged
merged 1 commit into from
Oct 15, 2024

Conversation

luigidifraiawork
Copy link
Contributor

No description provided.

@luigidifraiawork luigidifraiawork requested review from a team as code owners October 15, 2024 07:59
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 15, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/xhibit-portal


Running Trivy in terraform/environments/xhibit-portal
2024-10-15T08:00:49Z INFO [vulndb] Need to update DB
2024-10-15T08:00:49Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T08:00:49Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T08:00:51Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T08:00:51Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T08:00:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T08:00:51Z INFO [misconfig] Need to update the built-in checks
2024-10-15T08:00:51Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T08:00:51Z INFO [secret] Secret scanning is enabled
2024-10-15T08:00:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T08:00:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T08:00:53Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T08:00:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-15T08:00:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T08:00:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T08:00:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T08:00:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:56Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-10-15T08:00:56Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T08:00:56Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-10-15T08:00:56Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-10-15T08:00:56Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="scripts/perf/node_modules"
2024-10-15T08:00:56Z INFO Number of language-specific files num=1
2024-10-15T08:00:56Z INFO [npm] Detecting vulnerabilities...
2024-10-15T08:00:56Z INFO Detected config files num=17

For OSS Maintainers: VEX Notice

If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.

scripts/perf/package-lock.json (npm)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH │ fixed │ 8.5.1 │ 9.0.0 │ jsonwebtoken: Unrestricted key type could lead to legacy │
│ │ │ │ │ │ │ keys usagen │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23539
├──────────────┼────────────────┤ │ ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver │ CVE-2022-25883 │ │ │ 5.7.1 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:20
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
20 [ ipv6_cidr_blocks = ["::/0"]
..
32 }
────────────────────────────────────────

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:19
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
32 }
────────────────────────────────────────

ingestion-load-balancer.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ingestion-load-balancer.tf:59
via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
52 resource "aws_elb" "ingestion_lb" {
..
59 [ internal = false
..
97 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

prtg-load-balancer.tf (terraform)

Tests: 7 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
prtg-load-balancer.tf:82
via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
73 resource "aws_lb_listener" "prtg_lb_listener" {
..
82 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
90 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
prtg-load-balancer.tf:12-37
────────────────────────────────────────
12 ┌ resource "aws_lb" "prtg_lb" {
13 │
14 │ depends_on = [
15 │ aws_security_group.prtg_lb,
16 │ ]
17 │
18 │ name = "prtg-lb-${var.networking[0].application}"
19 │ internal = false
20 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
prtg-load-balancer.tf:19
via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
12 resource "aws_lb" "prtg_lb" {
..
19 [ internal = false
..
37 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

waf-load-balancer.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
waf-load-balancer.tf:96
via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
87 resource "aws_lb_listener" "waf_lb_listener" {
..
96 [ ssl_policy = "ELBSecurityPolicy-2016-08"
...
104 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
waf-load-balancer.tf:27-52
────────────────────────────────────────
27 ┌ resource "aws_lb" "waf_lb" {
28 │
29 │ depends_on = [
30 │ aws_security_group.waf_lb,
31 │ ]
32 │
33 │ name = "waf-lb-${var.networking[0].application}"
34 │ internal = false
35 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
waf-load-balancer.tf:34
via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
27 resource "aws_lb" "waf_lb" {
..
34 [ internal = false
..
52 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Checkov in terraform/environments/xhibit-portal
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 08:00:59,060 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-10-15 08:00:59,060 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 557, Failed checks: 101, Skipped checks: 10

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:7-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		7  | module "bastion_linux" {
		8  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		9  | 
		10 |   providers = {
		11 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		12 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		13 |   }
		14 | 
		15 |   # s3 - used for logs and user ssh public keys
		16 |   bucket_name = "bastion"
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | 
		37 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.build-disk1
	File: /build-server.tf:46-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		46 | resource "aws_ebs_volume" "build-disk1" {
		47 |   depends_on        = [aws_instance.build-server]
		48 |   availability_zone = "${local.region}a"
		49 |   type              = "gp2"
		50 |   encrypted         = true
		51 | 
		52 |   snapshot_id = local.application_data.accounts[local.environment].buildserver-disk-1-snapshot
		53 | 
		54 |   tags = merge(
		55 |     local.tags,
		56 |     {
		57 |       Name = "build-disk1-${local.application_name}"
		58 |     }
		59 |   )
		60 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjim-disk1
	File: /cjim-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjim-disk1" {
		49 |   depends_on        = [aws_instance.cjim-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig04-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjim-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjip-disk1
	File: /cjip-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjip-disk1" {
		49 |   depends_on        = [aws_instance.cjip-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig05-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjip-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.shared_cmk_policy
	File: /cms_key.tf:16-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-baremetal-disk1
	File: /database-server-baremetal.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "database-baremetal-disk1" {
		54 |   count             = local.only_in_production
		55 |   depends_on        = [aws_instance.database-server-baremetal]
		56 |   availability_zone = "${local.region}a"
		57 |   type              = "gp2"
		58 |   encrypted         = true
		59 |   size              = 4000
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "database-baremetal-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.app-baremetal-disk2
	File: /database-server-baremetal.tf:98-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		98  | resource "aws_ebs_volume" "app-baremetal-disk2" {
		99  |   count             = local.only_in_production
		100 |   depends_on        = [aws_instance.database-server-baremetal]
		101 |   availability_zone = "${local.region}a"
		102 |   type              = "gp2"
		103 |   encrypted         = true
		104 |   size              = 2000
		105 | 
		106 |   tags = merge(
		107 |     local.tags,
		108 |     {
		109 |       Name = "app-baremetal-disk2-${local.application_name}"
		110 |     }
		111 |   )
		112 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk1
	File: /database-server.tf:50-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		50 | resource "aws_ebs_volume" "database-disk1" {
		51 |   depends_on        = [aws_instance.database-server]
		52 |   availability_zone = "${local.region}a"
		53 |   type              = "gp2"
		54 |   encrypted         = true
		55 | 
		56 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-1-snapshot
		57 | 
		58 |   tags = merge(
		59 |     local.tags,
		60 |     {
		61 |       Name = "database-disk1-${local.application_name}"
		62 |     }
		63 |   )
		64 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk2
	File: /database-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "database-disk2" {
		78 |   depends_on        = [aws_instance.database-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "database-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk3
	File: /database-server.tf:102-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		102 | resource "aws_ebs_volume" "database-disk3" {
		103 |   depends_on        = [aws_instance.database-server]
		104 |   availability_zone = "${local.region}a"
		105 |   type              = "gp2"
		106 |   encrypted         = true
		107 | 
		108 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-3-snapshot
		109 | 
		110 |   tags = merge(
		111 |     local.tags,
		112 |     {
		113 |       Name = "database-disk3-${local.application_name}"
		114 |     }
		115 |   )
		116 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk4
	File: /database-server.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		126 | resource "aws_ebs_volume" "database-disk4" {
		127 |   depends_on        = [aws_instance.database-server]
		128 |   availability_zone = "${local.region}a"
		129 |   type              = "gp2"
		130 |   encrypted         = true
		131 | 
		132 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-4-snapshot
		133 | 
		134 |   tags = merge(
		135 |     local.tags,
		136 |     {
		137 |       Name = "database-disk4-${local.application_name}"
		138 |     }
		139 |   )
		140 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk5
	File: /database-server.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		150 | resource "aws_ebs_volume" "database-disk5" {
		151 |   depends_on        = [aws_instance.database-server]
		152 |   availability_zone = "${local.region}a"
		153 |   type              = "gp2"
		154 |   encrypted         = true
		155 | 
		156 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-5-snapshot
		157 | 
		158 |   tags = merge(
		159 |     local.tags,
		160 |     {
		161 |       Name = "database-disk5-${local.application_name}"
		162 |     }
		163 |   )
		164 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk6
	File: /database-server.tf:175-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		175 | resource "aws_ebs_volume" "database-disk6" {
		176 |   depends_on        = [aws_instance.database-server]
		177 |   availability_zone = "${local.region}a"
		178 |   type              = "gp2"
		179 |   encrypted         = true
		180 | 
		181 |   #snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-6-snapshot
		182 | 
		183 |   size = 300
		184 | 
		185 |   tags = merge(
		186 |     local.tags,
		187 |     {
		188 |       Name = "database-disk6-${local.application_name}"
		189 |     }
		190 |   )
		191 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk7
	File: /database-server.tf:201-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		201 | resource "aws_ebs_volume" "database-disk7" {
		202 |   depends_on        = [aws_instance.database-server]
		203 |   availability_zone = "${local.region}a"
		204 |   type              = "gp2"
		205 |   encrypted         = true
		206 | 
		207 |   size = 300
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "database-disk7-${local.application_name}"
		213 |     }
		214 |   )
		215 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.infra1-disk1
	File: /domain-controllers.tf:146-159
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		146 | resource "aws_ebs_volume" "infra1-disk1" {
		147 |   availability_zone = "${local.region}a"
		148 |   type              = "gp2"
		149 |   encrypted         = true
		150 | 
		151 |   snapshot_id = local.application_data.accounts[local.environment].infra1-disk-1-snapshot
		152 | 
		153 |   tags = merge(
		154 |     local.tags,
		155 |     {
		156 |       Name = "infra1-disk1-${local.application_name}"
		157 |     }
		158 |   )
		159 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk1
	File: /exchange-server.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "exchange-disk1" {
		54 |   depends_on        = [aws_instance.exchange-server]
		55 |   availability_zone = "${local.region}a"
		56 |   type              = "gp2"
		57 |   encrypted         = true
		58 | 
		59 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-1-snapshot
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "exchange-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk2
	File: /exchange-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "exchange-disk2" {
		78 |   depends_on        = [aws_instance.exchange-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "exchange-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.disk_xvdf
	File: /importmachine.tf:89-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		89  | resource "aws_ebs_volume" "disk_xvdf" {
		90  |   depends_on        = [aws_instance.importmachine]
		91  |   snapshot_id       = local.application_data.accounts[local.environment].importmachine-data-snapshot
		92  |   availability_zone = "${local.region}a"
		93  |   type              = "gp2"
		94  |   encrypted         = true
		95  |   size              = 6000
		96  | 
		97  |   tags = merge(
		98  |     local.tags,
		99  |     {
		100 |       Name = "importmachine-${local.application_name}-disk"
		101 |     }
		102 |   )
		103 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_AWS_376: "Ensure AWS Elastic Load Balancer listener uses TLS/SSL"
	FAILED for resource: aws_elb.ingestion_lb
	File: /ingestion-load-balancer.tf:52-97

		52 | resource "aws_elb" "ingestion_lb" {
		53 | 
		54 |   depends_on = [
		55 |     aws_security_group.ingestion_lb,
		56 |   ]
		57 | 
		58 |   name            = "ingestion-lb-${var.networking[0].application}"
		59 |   internal        = false
		60 |   security_groups = [aws_security_group.ingestion_lb.id]
		61 |   subnets         = data.aws_subnets.ingestion-shared-public.ids
		62 | 
		63 |   access_logs {
		64 |     bucket        = aws_s3_bucket.loadbalancer_logs.bucket
		65 |     bucket_prefix = "http-lb"
		66 |     enabled       = true
		67 |   }
		68 | 
		69 |   listener {
		70 |     instance_port      = 80
		71 |     instance_protocol  = "http"
		72 |     lb_port            = 443
		73 |     lb_protocol        = "https"
		74 |     ssl_certificate_id = data.aws_acm_certificate.ingestion_lb_cert.arn
		75 |   }
		76 | 
		77 |   health_check {
		78 |     healthy_threshold   = 6
		79 |     unhealthy_threshold = 2
		80 |     timeout             = 2
		81 |     target              = "HTTP:80/"
		82 |     interval            = 5
		83 |   }
		84 | 
		85 |   instances                   = [aws_instance.cjip-server.id]
		86 |   cross_zone_load_balancing   = true
		87 |   idle_timeout                = 400
		88 |   connection_draining         = true
		89 |   connection_draining_timeout = 400
		90 | 
		91 |   tags = merge(
		92 |     local.tags,
		93 |     {
		94 |       Name = "ingestion-lb-${var.networking[0].application}"
		95 |     },
		96 |   )
		97 | }

Check: CKV_AWS_213: "Ensure ELB Policy uses only secure protocols"
	FAILED for resource: aws_load_balancer_policy.ingestion-ssl
	File: /ingestion-load-balancer.tf:199-674
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-elb-policy-uses-only-secure-protocols

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.root_snapshot_to_ami
	File: /lambda.tf:57-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		57 | resource "aws_lambda_function" "root_snapshot_to_ami" {
		58 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		59 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		60 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		61 |   filename                       = "lambda/lambda_function.zip"
		62 |   function_name                  = "root_snapshot_to_ami"
		63 |   role                           = aws_iam_role.snapshot_lambda.arn
		64 |   handler                        = "index.lambda_handler"
		65 |   source_code_hash               = data.archive_file.lambda_zip.output_base64sha256
		66 |   runtime                        = "python3.8"
		67 |   timeout                        = "120"
		68 |   reserved_concurrent_executions = 1
		69 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_old_ami
	File: /lambda.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		150 | resource "aws_lambda_function" "delete_old_ami" {
		151 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		152 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		153 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		154 |   filename         = "lambda/delete_old_ami.zip"
		155 |   function_name    = "delete_old_ami"
		156 |   role             = aws_iam_role.delete_snapshot_lambda.arn
		157 |   handler          = "delete_old_ami.lambda_handler"
		158 |   source_code_hash = data.archive_file.delete_lambda_zip.output_base64sha256
		159 |   runtime          = "python3.8"
		160 |   # "large" amount of memory because of the amount of snapshots
		161 |   memory_size                    = "1280"
		162 |   timeout                        = "240"
		163 |   reserved_concurrent_executions = 1
		164 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.prtg_acl
	File: /prtg-load-balancer.tf:138-204
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.sms-server
	File: /sms-server.tf:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "sms-server" {
		2  |   depends_on                  = [aws_security_group.sms_server]
		3  |   instance_type               = "t3.large"
		4  |   ami                         = local.application_data.accounts[local.environment].XHBPRESMS01-ami
		5  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.gary.key_name
		11 |   #key_name                    = aws_key_pair.george.key_name
		12 |   iam_instance_profile = aws_iam_instance_profile.ec2_xp_profile.id
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted = true
		21 |     tags = {
		22 |       Name = "root-block-device-sms-server-${local.application_name}"
		23 |     }
		24 |   }
		25 | 
		26 |   lifecycle {
		27 |     ignore_changes = [
		28 |       # This prevents clobbering the tags of attached EBS volumes. See
		29 |       # [this bug][1] in the AWS provider upstream.
		30 |       #
		31 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		32 |       volume_tags,
		33 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		34 |       #root_block_device,
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = false
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "sms-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.waf_lb_web_tg
	File: /waf-load-balancer.tf:54-78

		54 | resource "aws_lb_target_group" "waf_lb_web_tg" {
		55 |   depends_on           = [aws_lb.waf_lb]
		56 |   name                 = "waf-lb-web-tg-${var.networking[0].application}"
		57 |   port                 = 80
		58 |   protocol             = "HTTP"
		59 |   deregistration_delay = "30"
		60 |   vpc_id               = local.vpc_id
		61 | 
		62 |   health_check {
		63 |     path                = "/Secure/Default.aspx"
		64 |     port                = 80
		65 |     healthy_threshold   = 6
		66 |     unhealthy_threshold = 2
		67 |     timeout             = 2
		68 |     interval            = 5
		69 |     matcher             = "302" # change this to 200 when the database comes up
		70 |   }
		71 | 
		72 |   tags = merge(
		73 |     local.tags,
		74 |     {
		75 |       Name = "waf-lb_-g-${var.networking[0].application}"
		76 |     },
		77 |   )
		78 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf-load-balancer.tf:224-290
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/[email protected]"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ingest_root_ca_cert
	File: /xp-secrets.tf:165-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		165 | resource "aws_secretsmanager_secret" "ingest_root_ca_cert" {
		166 |   name        = "${local.environment}/ingest-root-ca-cert"
		167 |   description = "Root CA certificate data for the Ingest service"
		168 |   policy      = <<POLICY
		169 | {
		170 |   "Version" : "2012-10-17",
		171 |   "Statement" : [ {
		172 |     "Sid" : "AdministratorFullAccess",
		173 |     "Effect" : "Allow",
		174 |     "Principal" : {
		175 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		176 |     },
		177 |     "Action" : "secretsmanager:*",
		178 |     "Resource" : "*"
		179 |   },
		180 |   {
		181 |     "Sid" : "MPDeveloperFullAccess",
		182 |     "Effect" : "Allow",
		183 |     "Principal" : {
		184 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		185 |     },
		186 |     "Action" : "secretsmanager:*",  
		187 |     "Resource" : "*"
		188 |   } ]
		189 | }
		190 | POLICY
		191 | 
		192 |   tags = local.tags
		193 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/[email protected]"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ingest_root_ca_cert
	File: /xp-secrets.tf:165-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		165 | resource "aws_secretsmanager_secret" "ingest_root_ca_cert" {
		166 |   name        = "${local.environment}/ingest-root-ca-cert"
		167 |   description = "Root CA certificate data for the Ingest service"
		168 |   policy      = <<POLICY
		169 | {
		170 |   "Version" : "2012-10-17",
		171 |   "Statement" : [ {
		172 |     "Sid" : "AdministratorFullAccess",
		173 |     "Effect" : "Allow",
		174 |     "Principal" : {
		175 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		176 |     },
		177 |     "Action" : "secretsmanager:*",
		178 |     "Resource" : "*"
		179 |   },
		180 |   {
		181 |     "Sid" : "MPDeveloperFullAccess",
		182 |     "Effect" : "Allow",
		183 |     "Principal" : {
		184 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		185 |     },
		186 |     "Action" : "secretsmanager:*",  
		187 |     "Resource" : "*"
		188 |   } ]
		189 | }
		190 | POLICY
		191 | 
		192 |   tags = local.tags
		193 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.prtg_lb_listener
	File: /prtg-load-balancer.tf:73-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "prtg_lb_listener" {
		74 |   depends_on = [
		75 |     aws_acm_certificate_validation.prtg_lb_cert_validation,
		76 |     aws_lb_target_group.prtg_lb_web_tg
		77 |   ]
		78 | 
		79 |   load_balancer_arn = aws_lb.prtg_lb.arn
		80 |   port              = "443"
		81 |   protocol          = "HTTPS"
		82 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		83 |   certificate_arn   = aws_acm_certificate.prtg_lb_cert.arn
		84 |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		85 | 
		86 |   default_action {
		87 |     type             = "forward"
		88 |     target_group_arn = aws_lb_target_group.prtg_lb_web_tg.arn
		89 |   }
		90 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.waf_lb_listener
	File: /waf-load-balancer.tf:87-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		87  | resource "aws_lb_listener" "waf_lb_listener" {
		88  |   depends_on = [
		89  |     aws_acm_certificate_validation.waf_lb_cert_validation,
		90  |     aws_lb_target_group.waf_lb_web_tg
		91  |   ]
		92  | 
		93  |   load_balancer_arn = aws_lb.waf_lb.arn
		94  |   port              = "443"
		95  |   protocol          = "HTTPS"
		96  |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		97  |   certificate_arn   = aws_acm_certificate.waf_lb_cert.arn
		98  |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		99  | 
		100 |   default_action {
		101 |     type             = "forward"
		102 |     target_group_arn = aws_lb_target_group.waf_lb_web_tg.arn
		103 |   }
		104 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.importmachine
	File: /importmachine.tf:49-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		49 | resource "aws_instance" "importmachine" {
		50 | 
		51 |   depends_on             = [aws_security_group.importmachine]
		52 |   instance_type          = "t3a.large"
		53 |   ami                    = local.application_data.accounts[local.environment].importmachine-ami
		54 |   vpc_security_group_ids = [aws_security_group.importmachine.id]
		55 |   monitoring             = true
		56 |   ebs_optimized          = true
		57 |   subnet_id              = data.aws_subnet.private_az_a.id
		58 |   key_name               = aws_key_pair.george.key_name
		59 | 
		60 |   metadata_options {
		61 |     http_tokens   = "required"
		62 |     http_endpoint = "enabled"
		63 |   }
		64 | 
		65 |   root_block_device {
		66 |     encrypted   = true
		67 |     volume_size = 70
		68 |   }
		69 | 
		70 |   lifecycle {
		71 |     ignore_changes = [
		72 |       # This prevents clobbering the tags of attached EBS volumes. See
		73 |       # [this bug][1] in the AWS provider upstream.
		74 | 
		75 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		76 |       volume_tags,
		77 |     ]
		78 |     prevent_destroy = true
		79 |   }
		80 | 
		81 |   tags = merge(
		82 |     local.tags,
		83 |     {
		84 |       Name = "importmachine-${local.application_name}"
		85 |     }
		86 |   )
		87 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running tflint in terraform/environments/xhibit-portal
Excluding the following checks: terraform_unused_declarations
18 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import" is not pinned (terraform_module_pinned_source)

  on terraform/environments/xhibit-portal/importrole.tf line 3:
   3:   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 140:
 140:       "${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 190:
 190:     resources = ["${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/xhibit-portal/lambda.tf line 141:
 141: data "archive_file" "delete_lambda_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 98:
  98:     "${local.application_data.accounts[local.environment].public_dns_name_prtg}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 237:
 237:   log_destination_configs = ["${aws_s3_bucket.prtg_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 257:
 257:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 296:
 296:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 321:
 321:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 328:
 328:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 184:
 184:     "${local.application_data.accounts[local.environment].public_dns_name_web}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 334:
 334:       "${aws_s3_bucket.loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 384:
 384:     resources = ["${aws_s3_bucket.loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 418:
 418:   log_destination_configs = ["${aws_s3_bucket.waf_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 438:
 438:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 477:
 477:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 502:
 502:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 509:
 509:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Trivy in terraform/environments/xhibit-portal
2024-10-15T08:00:49Z	INFO	[vulndb] Need to update DB
2024-10-15T08:00:49Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T08:00:49Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T08:00:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T08:00:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T08:00:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T08:00:51Z	INFO	[misconfig] Need to update the built-in checks
2024-10-15T08:00:51Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T08:00:51Z	INFO	[secret] Secret scanning is enabled
2024-10-15T08:00:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T08:00:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T08:00:53Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T08:00:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-15T08:00:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T08:00:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T08:00:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T08:00:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T08:00:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T08:00:56Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-10-15T08:00:56Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T08:00:56Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-10-15T08:00:56Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-10-15T08:00:56Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="scripts/perf/node_modules"
2024-10-15T08:00:56Z	INFO	Number of language-specific files	num=1
2024-10-15T08:00:56Z	INFO	[npm] Detecting vulnerabilities...
2024-10-15T08:00:56Z	INFO	Detected config files	num=17

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


scripts/perf/package-lock.json (npm)
====================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                          Title                           │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH     │ fixed  │ 8.5.19.0.0               │ jsonwebtoken: Unrestricted key type could lead to legacy │
│              │                │          │        │                   │                     │ keys usagen                                              │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-23539               │
├──────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver       │ CVE-2022-25883 │          │        │ 5.7.17.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service      │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25883               │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)
============================
Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:20
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  20 [     ipv6_cidr_blocks = ["::/0"]
  ..   
  32   }
────────────────────────────────────────


HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:19
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  19 [     cidr_blocks      = ["0.0.0.0/0"]
  ..   
  32   }
────────────────────────────────────────



ingestion-load-balancer.tf (terraform)
======================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ingestion-load-balancer.tf:59
   via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
  52   resource "aws_elb" "ingestion_lb" {
  ..   
  59 [   internal        = false
  ..   
  97   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────



prtg-load-balancer.tf (terraform)
=================================
Tests: 7 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.


See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 prtg-load-balancer.tf:82
   via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
  73   resource "aws_lb_listener" "prtg_lb_listener" {
  ..   
  82 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  90   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 prtg-load-balancer.tf:12-37
────────────────────────────────────────
  12resource "aws_lb" "prtg_lb" {
  1314 │   depends_on = [
  15 │     aws_security_group.prtg_lb,
  16 │   ]
  1718 │   name                       = "prtg-lb-${var.networking[0].application}"
  19 │   internal                   = false
  20 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 prtg-load-balancer.tf:19
   via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
  12   resource "aws_lb" "prtg_lb" {
  ..   
  19 [   internal                   = false
  ..   
  37   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────



waf-load-balancer.tf (terraform)
================================
Tests: 11 (SUCCESSES: 0, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.


See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 waf-load-balancer.tf:96
   via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
  87   resource "aws_lb_listener" "waf_lb_listener" {
  ..   
  96 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
 ...   
 104   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 waf-load-balancer.tf:27-52
────────────────────────────────────────
  27 ┌ resource "aws_lb" "waf_lb" {
  2829 │   depends_on = [
  30 │     aws_security_group.waf_lb,
  31 │   ]
  3233 │   name                       = "waf-lb-${var.networking[0].application}"
  34 │   internal                   = false
  35 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 waf-load-balancer.tf:34
   via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
  27   resource "aws_lb" "waf_lb" {
  ..   
  34 [   internal                   = false
  ..   
  52   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


trivy_exitcode=1

@luigidifraiawork luigidifraiawork changed the title feat: add secret to hold Ingest server root CA certificate data feat: add secret to hold Ingest LB root CA certificate data Oct 15, 2024
Copy link
Contributor

@zoltan-paldi zoltan-paldi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new secret looks good, approved.

@luigidifraiawork luigidifraiawork changed the title feat: add secret to hold Ingest LB root CA certificate data feat: add secret to hold XP Ingest LB root CA certificate data Oct 15, 2024
@luigidifraiawork luigidifraiawork merged commit 6d65a8d into main Oct 15, 2024
12 of 14 checks passed
@luigidifraiawork luigidifraiawork deleted the feat/add-secret-ingest-cert branch October 15, 2024 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants