Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1 in /terraform/environments/xhibit-portal #8398

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 23, 2024

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.1.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.4.1

What's Fixed

  • The original behaviour of the bastion_security_group output has been reinstated. It will once again output the id of the "aws_security_group" "bastion_linux" { ... } resource.
  • The updated output is still available through the bastion_security_group_map output.

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.4.0...v4.4.1

v4.4.0

What's Changed

  • All module resources use name_prefix instead of name to ensure uniqueness where possible.
  • The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.1...v4.4.0

v4.3.1

What's Fixed

  • The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.
  • The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

... (truncated)

Commits
  • dfed655 Merge pull request #578 from ministryofjustice/dependabot/github_actions/brid...
  • 0f9f6a7 Bump bridgecrewio/checkov-action from 12.2883.0 to 12.2884.0
  • 629382d Merge pull request #579 from ministryofjustice/fix/reinstate-old-output
  • d24e7f7 terraform-docs: automated action
  • 498e46b reinstated original behaviour of security group output, and moved new functio...
  • c95588b Merge pull request #577 from ministryofjustice/dependabot/github_actions/brid...
  • 5d37e86 Bump bridgecrewio/checkov-action from 12.2882.0 to 12.2883.0
  • 948bb8a Merge pull request #576 from ministryofjustice/dependabot/github_actions/mini...
  • 86f2b4b Bump ministryofjustice/github-actions from 18.2.4 to 18.3.1
  • 2137b50 Merge pull request #574 from ministryofjustice/dependabot/github_actions/aqua...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.4.1.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.4.1)

---
updated-dependencies:
- dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Oct 23, 2024
@dependabot dependabot bot requested a review from a team as a code owner October 23, 2024 00:55
@dependabot dependabot bot added the terraform Pull requests that update Terraform code label Oct 23, 2024
@dependabot dependabot bot requested review from a team as code owners October 23, 2024 00:55
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 23, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/xhibit-portal


Running Trivy in terraform/environments/xhibit-portal
2024-10-23T00:57:54Z INFO [vulndb] Need to update DB
2024-10-23T00:57:54Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T00:57:54Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T00:57:56Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T00:57:56Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T00:57:56Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T00:57:56Z INFO [misconfig] Need to update the built-in checks
2024-10-23T00:57:56Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-23T00:57:57Z INFO [secret] Secret scanning is enabled
2024-10-23T00:57:57Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T00:57:57Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T00:57:58Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T00:57:58Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-23T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-23T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-23T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T00:57:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:58:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-23T00:58:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-10-23T00:58:01Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-10-23T00:58:01Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-10-23T00:58:02Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="scripts/perf/node_modules"
2024-10-23T00:58:02Z INFO Number of language-specific files num=1
2024-10-23T00:58:02Z INFO [npm] Detecting vulnerabilities...
2024-10-23T00:58:02Z INFO Detected config files num=17

For OSS Maintainers: VEX Notice

If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.

scripts/perf/package-lock.json (npm)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH │ fixed │ 8.5.1 │ 9.0.0 │ jsonwebtoken: Unrestricted key type could lead to legacy │
│ │ │ │ │ │ │ keys usagen │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23539
├──────────────┼────────────────┤ │ ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver │ CVE-2022-25883 │ │ │ 5.7.1 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:20
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
20 [ ipv6_cidr_blocks = ["::/0"]
..
32 }
────────────────────────────────────────

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:19
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
32 }
────────────────────────────────────────

ingestion-load-balancer.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ingestion-load-balancer.tf:59
via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
52 resource "aws_elb" "ingestion_lb" {
..
59 [ internal = false
..
97 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

prtg-load-balancer.tf (terraform)

Tests: 7 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
prtg-load-balancer.tf:82
via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
73 resource "aws_lb_listener" "prtg_lb_listener" {
..
82 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
90 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
prtg-load-balancer.tf:12-37
────────────────────────────────────────
12 ┌ resource "aws_lb" "prtg_lb" {
13 │
14 │ depends_on = [
15 │ aws_security_group.prtg_lb,
16 │ ]
17 │
18 │ name = "prtg-lb-${var.networking[0].application}"
19 │ internal = false
20 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
prtg-load-balancer.tf:19
via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
12 resource "aws_lb" "prtg_lb" {
..
19 [ internal = false
..
37 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

waf-load-balancer.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
waf-load-balancer.tf:96
via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
87 resource "aws_lb_listener" "waf_lb_listener" {
..
96 [ ssl_policy = "ELBSecurityPolicy-2016-08"
...
104 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
waf-load-balancer.tf:27-52
────────────────────────────────────────
27 ┌ resource "aws_lb" "waf_lb" {
28 │
29 │ depends_on = [
30 │ aws_security_group.waf_lb,
31 │ ]
32 │
33 │ name = "waf-lb-${var.networking[0].application}"
34 │ internal = false
35 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
waf-load-balancer.tf:34
via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
27 resource "aws_lb" "waf_lb" {
..
34 [ internal = false
..
52 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Checkov in terraform/environments/xhibit-portal
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 00:58:05,004 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1:None (for external modules, the --download-external-modules flag is required)
2024-10-23 00:58:05,004 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 557, Failed checks: 101, Skipped checks: 10

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:7-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		7  | module "bastion_linux" {
		8  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1"
		9  | 
		10 |   providers = {
		11 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		12 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		13 |   }
		14 | 
		15 |   # s3 - used for logs and user ssh public keys
		16 |   bucket_name = "bastion"
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | 
		37 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.build-disk1
	File: /build-server.tf:46-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		46 | resource "aws_ebs_volume" "build-disk1" {
		47 |   depends_on        = [aws_instance.build-server]
		48 |   availability_zone = "${local.region}a"
		49 |   type              = "gp2"
		50 |   encrypted         = true
		51 | 
		52 |   snapshot_id = local.application_data.accounts[local.environment].buildserver-disk-1-snapshot
		53 | 
		54 |   tags = merge(
		55 |     local.tags,
		56 |     {
		57 |       Name = "build-disk1-${local.application_name}"
		58 |     }
		59 |   )
		60 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjim-disk1
	File: /cjim-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjim-disk1" {
		49 |   depends_on        = [aws_instance.cjim-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig04-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjim-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjip-disk1
	File: /cjip-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjip-disk1" {
		49 |   depends_on        = [aws_instance.cjip-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig05-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjip-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.shared_cmk_policy
	File: /cms_key.tf:16-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-baremetal-disk1
	File: /database-server-baremetal.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "database-baremetal-disk1" {
		54 |   count             = local.only_in_production
		55 |   depends_on        = [aws_instance.database-server-baremetal]
		56 |   availability_zone = "${local.region}a"
		57 |   type              = "gp2"
		58 |   encrypted         = true
		59 |   size              = 4000
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "database-baremetal-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.app-baremetal-disk2
	File: /database-server-baremetal.tf:98-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		98  | resource "aws_ebs_volume" "app-baremetal-disk2" {
		99  |   count             = local.only_in_production
		100 |   depends_on        = [aws_instance.database-server-baremetal]
		101 |   availability_zone = "${local.region}a"
		102 |   type              = "gp2"
		103 |   encrypted         = true
		104 |   size              = 2000
		105 | 
		106 |   tags = merge(
		107 |     local.tags,
		108 |     {
		109 |       Name = "app-baremetal-disk2-${local.application_name}"
		110 |     }
		111 |   )
		112 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk1
	File: /database-server.tf:50-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		50 | resource "aws_ebs_volume" "database-disk1" {
		51 |   depends_on        = [aws_instance.database-server]
		52 |   availability_zone = "${local.region}a"
		53 |   type              = "gp2"
		54 |   encrypted         = true
		55 | 
		56 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-1-snapshot
		57 | 
		58 |   tags = merge(
		59 |     local.tags,
		60 |     {
		61 |       Name = "database-disk1-${local.application_name}"
		62 |     }
		63 |   )
		64 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk2
	File: /database-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "database-disk2" {
		78 |   depends_on        = [aws_instance.database-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "database-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk3
	File: /database-server.tf:102-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		102 | resource "aws_ebs_volume" "database-disk3" {
		103 |   depends_on        = [aws_instance.database-server]
		104 |   availability_zone = "${local.region}a"
		105 |   type              = "gp2"
		106 |   encrypted         = true
		107 | 
		108 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-3-snapshot
		109 | 
		110 |   tags = merge(
		111 |     local.tags,
		112 |     {
		113 |       Name = "database-disk3-${local.application_name}"
		114 |     }
		115 |   )
		116 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk4
	File: /database-server.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		126 | resource "aws_ebs_volume" "database-disk4" {
		127 |   depends_on        = [aws_instance.database-server]
		128 |   availability_zone = "${local.region}a"
		129 |   type              = "gp2"
		130 |   encrypted         = true
		131 | 
		132 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-4-snapshot
		133 | 
		134 |   tags = merge(
		135 |     local.tags,
		136 |     {
		137 |       Name = "database-disk4-${local.application_name}"
		138 |     }
		139 |   )
		140 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk5
	File: /database-server.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		150 | resource "aws_ebs_volume" "database-disk5" {
		151 |   depends_on        = [aws_instance.database-server]
		152 |   availability_zone = "${local.region}a"
		153 |   type              = "gp2"
		154 |   encrypted         = true
		155 | 
		156 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-5-snapshot
		157 | 
		158 |   tags = merge(
		159 |     local.tags,
		160 |     {
		161 |       Name = "database-disk5-${local.application_name}"
		162 |     }
		163 |   )
		164 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk6
	File: /database-server.tf:175-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		175 | resource "aws_ebs_volume" "database-disk6" {
		176 |   depends_on        = [aws_instance.database-server]
		177 |   availability_zone = "${local.region}a"
		178 |   type              = "gp2"
		179 |   encrypted         = true
		180 | 
		181 |   #snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-6-snapshot
		182 | 
		183 |   size = 300
		184 | 
		185 |   tags = merge(
		186 |     local.tags,
		187 |     {
		188 |       Name = "database-disk6-${local.application_name}"
		189 |     }
		190 |   )
		191 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk7
	File: /database-server.tf:201-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		201 | resource "aws_ebs_volume" "database-disk7" {
		202 |   depends_on        = [aws_instance.database-server]
		203 |   availability_zone = "${local.region}a"
		204 |   type              = "gp2"
		205 |   encrypted         = true
		206 | 
		207 |   size = 300
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "database-disk7-${local.application_name}"
		213 |     }
		214 |   )
		215 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.infra1-disk1
	File: /domain-controllers.tf:146-159
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		146 | resource "aws_ebs_volume" "infra1-disk1" {
		147 |   availability_zone = "${local.region}a"
		148 |   type              = "gp2"
		149 |   encrypted         = true
		150 | 
		151 |   snapshot_id = local.application_data.accounts[local.environment].infra1-disk-1-snapshot
		152 | 
		153 |   tags = merge(
		154 |     local.tags,
		155 |     {
		156 |       Name = "infra1-disk1-${local.application_name}"
		157 |     }
		158 |   )
		159 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk1
	File: /exchange-server.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "exchange-disk1" {
		54 |   depends_on        = [aws_instance.exchange-server]
		55 |   availability_zone = "${local.region}a"
		56 |   type              = "gp2"
		57 |   encrypted         = true
		58 | 
		59 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-1-snapshot
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "exchange-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk2
	File: /exchange-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "exchange-disk2" {
		78 |   depends_on        = [aws_instance.exchange-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "exchange-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.disk_xvdf
	File: /importmachine.tf:89-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		89  | resource "aws_ebs_volume" "disk_xvdf" {
		90  |   depends_on        = [aws_instance.importmachine]
		91  |   snapshot_id       = local.application_data.accounts[local.environment].importmachine-data-snapshot
		92  |   availability_zone = "${local.region}a"
		93  |   type              = "gp2"
		94  |   encrypted         = true
		95  |   size              = 6000
		96  | 
		97  |   tags = merge(
		98  |     local.tags,
		99  |     {
		100 |       Name = "importmachine-${local.application_name}-disk"
		101 |     }
		102 |   )
		103 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_AWS_376: "Ensure AWS Elastic Load Balancer listener uses TLS/SSL"
	FAILED for resource: aws_elb.ingestion_lb
	File: /ingestion-load-balancer.tf:52-97

		52 | resource "aws_elb" "ingestion_lb" {
		53 | 
		54 |   depends_on = [
		55 |     aws_security_group.ingestion_lb,
		56 |   ]
		57 | 
		58 |   name            = "ingestion-lb-${var.networking[0].application}"
		59 |   internal        = false
		60 |   security_groups = [aws_security_group.ingestion_lb.id]
		61 |   subnets         = data.aws_subnets.ingestion-shared-public.ids
		62 | 
		63 |   access_logs {
		64 |     bucket        = aws_s3_bucket.loadbalancer_logs.bucket
		65 |     bucket_prefix = "http-lb"
		66 |     enabled       = true
		67 |   }
		68 | 
		69 |   listener {
		70 |     instance_port      = 80
		71 |     instance_protocol  = "http"
		72 |     lb_port            = 443
		73 |     lb_protocol        = "https"
		74 |     ssl_certificate_id = data.aws_acm_certificate.ingestion_lb_cert.arn
		75 |   }
		76 | 
		77 |   health_check {
		78 |     healthy_threshold   = 6
		79 |     unhealthy_threshold = 2
		80 |     timeout             = 2
		81 |     target              = "HTTP:80/"
		82 |     interval            = 5
		83 |   }
		84 | 
		85 |   instances                   = [aws_instance.cjip-server.id]
		86 |   cross_zone_load_balancing   = true
		87 |   idle_timeout                = 400
		88 |   connection_draining         = true
		89 |   connection_draining_timeout = 400
		90 | 
		91 |   tags = merge(
		92 |     local.tags,
		93 |     {
		94 |       Name = "ingestion-lb-${var.networking[0].application}"
		95 |     },
		96 |   )
		97 | }

Check: CKV_AWS_213: "Ensure ELB Policy uses only secure protocols"
	FAILED for resource: aws_load_balancer_policy.ingestion-ssl
	File: /ingestion-load-balancer.tf:199-674
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-elb-policy-uses-only-secure-protocols

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.root_snapshot_to_ami
	File: /lambda.tf:57-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		57 | resource "aws_lambda_function" "root_snapshot_to_ami" {
		58 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		59 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		60 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		61 |   filename                       = "lambda/lambda_function.zip"
		62 |   function_name                  = "root_snapshot_to_ami"
		63 |   role                           = aws_iam_role.snapshot_lambda.arn
		64 |   handler                        = "index.lambda_handler"
		65 |   source_code_hash               = data.archive_file.lambda_zip.output_base64sha256
		66 |   runtime                        = "python3.8"
		67 |   timeout                        = "120"
		68 |   reserved_concurrent_executions = 1
		69 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_old_ami
	File: /lambda.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		150 | resource "aws_lambda_function" "delete_old_ami" {
		151 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		152 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		153 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		154 |   filename         = "lambda/delete_old_ami.zip"
		155 |   function_name    = "delete_old_ami"
		156 |   role             = aws_iam_role.delete_snapshot_lambda.arn
		157 |   handler          = "delete_old_ami.lambda_handler"
		158 |   source_code_hash = data.archive_file.delete_lambda_zip.output_base64sha256
		159 |   runtime          = "python3.8"
		160 |   # "large" amount of memory because of the amount of snapshots
		161 |   memory_size                    = "1280"
		162 |   timeout                        = "240"
		163 |   reserved_concurrent_executions = 1
		164 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.prtg_acl
	File: /prtg-load-balancer.tf:138-204
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.sms-server
	File: /sms-server.tf:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "sms-server" {
		2  |   depends_on                  = [aws_security_group.sms_server]
		3  |   instance_type               = "t3.large"
		4  |   ami                         = local.application_data.accounts[local.environment].XHBPRESMS01-ami
		5  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.gary.key_name
		11 |   #key_name                    = aws_key_pair.george.key_name
		12 |   iam_instance_profile = aws_iam_instance_profile.ec2_xp_profile.id
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted = true
		21 |     tags = {
		22 |       Name = "root-block-device-sms-server-${local.application_name}"
		23 |     }
		24 |   }
		25 | 
		26 |   lifecycle {
		27 |     ignore_changes = [
		28 |       # This prevents clobbering the tags of attached EBS volumes. See
		29 |       # [this bug][1] in the AWS provider upstream.
		30 |       #
		31 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		32 |       volume_tags,
		33 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		34 |       #root_block_device,
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = false
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "sms-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.waf_lb_web_tg
	File: /waf-load-balancer.tf:54-78

		54 | resource "aws_lb_target_group" "waf_lb_web_tg" {
		55 |   depends_on           = [aws_lb.waf_lb]
		56 |   name                 = "waf-lb-web-tg-${var.networking[0].application}"
		57 |   port                 = 80
		58 |   protocol             = "HTTP"
		59 |   deregistration_delay = "30"
		60 |   vpc_id               = local.vpc_id
		61 | 
		62 |   health_check {
		63 |     path                = "/Secure/Default.aspx"
		64 |     port                = 80
		65 |     healthy_threshold   = 6
		66 |     unhealthy_threshold = 2
		67 |     timeout             = 2
		68 |     interval            = 5
		69 |     matcher             = "302" # change this to 200 when the database comes up
		70 |   }
		71 | 
		72 |   tags = merge(
		73 |     local.tags,
		74 |     {
		75 |       Name = "waf-lb_-g-${var.networking[0].application}"
		76 |     },
		77 |   )
		78 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf-load-balancer.tf:224-290
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/[email protected]"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ingest_root_ca_cert
	File: /xp-secrets.tf:165-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		165 | resource "aws_secretsmanager_secret" "ingest_root_ca_cert" {
		166 |   name        = "${local.environment}/ingest-root-ca-cert"
		167 |   description = "Root CA certificate data for the Ingest service"
		168 |   policy      = <<POLICY
		169 | {
		170 |   "Version" : "2012-10-17",
		171 |   "Statement" : [ {
		172 |     "Sid" : "AdministratorFullAccess",
		173 |     "Effect" : "Allow",
		174 |     "Principal" : {
		175 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		176 |     },
		177 |     "Action" : "secretsmanager:*",
		178 |     "Resource" : "*"
		179 |   },
		180 |   {
		181 |     "Sid" : "MPDeveloperFullAccess",
		182 |     "Effect" : "Allow",
		183 |     "Principal" : {
		184 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		185 |     },
		186 |     "Action" : "secretsmanager:*",  
		187 |     "Resource" : "*"
		188 |   } ]
		189 | }
		190 | POLICY
		191 | 
		192 |   tags = local.tags
		193 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/[email protected]"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ingest_root_ca_cert
	File: /xp-secrets.tf:165-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		165 | resource "aws_secretsmanager_secret" "ingest_root_ca_cert" {
		166 |   name        = "${local.environment}/ingest-root-ca-cert"
		167 |   description = "Root CA certificate data for the Ingest service"
		168 |   policy      = <<POLICY
		169 | {
		170 |   "Version" : "2012-10-17",
		171 |   "Statement" : [ {
		172 |     "Sid" : "AdministratorFullAccess",
		173 |     "Effect" : "Allow",
		174 |     "Principal" : {
		175 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		176 |     },
		177 |     "Action" : "secretsmanager:*",
		178 |     "Resource" : "*"
		179 |   },
		180 |   {
		181 |     "Sid" : "MPDeveloperFullAccess",
		182 |     "Effect" : "Allow",
		183 |     "Principal" : {
		184 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		185 |     },
		186 |     "Action" : "secretsmanager:*",  
		187 |     "Resource" : "*"
		188 |   } ]
		189 | }
		190 | POLICY
		191 | 
		192 |   tags = local.tags
		193 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.prtg_lb_listener
	File: /prtg-load-balancer.tf:73-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "prtg_lb_listener" {
		74 |   depends_on = [
		75 |     aws_acm_certificate_validation.prtg_lb_cert_validation,
		76 |     aws_lb_target_group.prtg_lb_web_tg
		77 |   ]
		78 | 
		79 |   load_balancer_arn = aws_lb.prtg_lb.arn
		80 |   port              = "443"
		81 |   protocol          = "HTTPS"
		82 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		83 |   certificate_arn   = aws_acm_certificate.prtg_lb_cert.arn
		84 |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		85 | 
		86 |   default_action {
		87 |     type             = "forward"
		88 |     target_group_arn = aws_lb_target_group.prtg_lb_web_tg.arn
		89 |   }
		90 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.waf_lb_listener
	File: /waf-load-balancer.tf:87-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		87  | resource "aws_lb_listener" "waf_lb_listener" {
		88  |   depends_on = [
		89  |     aws_acm_certificate_validation.waf_lb_cert_validation,
		90  |     aws_lb_target_group.waf_lb_web_tg
		91  |   ]
		92  | 
		93  |   load_balancer_arn = aws_lb.waf_lb.arn
		94  |   port              = "443"
		95  |   protocol          = "HTTPS"
		96  |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		97  |   certificate_arn   = aws_acm_certificate.waf_lb_cert.arn
		98  |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		99  | 
		100 |   default_action {
		101 |     type             = "forward"
		102 |     target_group_arn = aws_lb_target_group.waf_lb_web_tg.arn
		103 |   }
		104 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.importmachine
	File: /importmachine.tf:49-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		49 | resource "aws_instance" "importmachine" {
		50 | 
		51 |   depends_on             = [aws_security_group.importmachine]
		52 |   instance_type          = "t3a.large"
		53 |   ami                    = local.application_data.accounts[local.environment].importmachine-ami
		54 |   vpc_security_group_ids = [aws_security_group.importmachine.id]
		55 |   monitoring             = true
		56 |   ebs_optimized          = true
		57 |   subnet_id              = data.aws_subnet.private_az_a.id
		58 |   key_name               = aws_key_pair.george.key_name
		59 | 
		60 |   metadata_options {
		61 |     http_tokens   = "required"
		62 |     http_endpoint = "enabled"
		63 |   }
		64 | 
		65 |   root_block_device {
		66 |     encrypted   = true
		67 |     volume_size = 70
		68 |   }
		69 | 
		70 |   lifecycle {
		71 |     ignore_changes = [
		72 |       # This prevents clobbering the tags of attached EBS volumes. See
		73 |       # [this bug][1] in the AWS provider upstream.
		74 | 
		75 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		76 |       volume_tags,
		77 |     ]
		78 |     prevent_destroy = true
		79 |   }
		80 | 
		81 |   tags = merge(
		82 |     local.tags,
		83 |     {
		84 |       Name = "importmachine-${local.application_name}"
		85 |     }
		86 |   )
		87 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running tflint in terraform/environments/xhibit-portal
Excluding the following checks: terraform_unused_declarations
18 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import" is not pinned (terraform_module_pinned_source)

  on terraform/environments/xhibit-portal/importrole.tf line 3:
   3:   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 140:
 140:       "${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 190:
 190:     resources = ["${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/xhibit-portal/lambda.tf line 141:
 141: data "archive_file" "delete_lambda_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 98:
  98:     "${local.application_data.accounts[local.environment].public_dns_name_prtg}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 237:
 237:   log_destination_configs = ["${aws_s3_bucket.prtg_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 257:
 257:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 296:
 296:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 321:
 321:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 328:
 328:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 184:
 184:     "${local.application_data.accounts[local.environment].public_dns_name_web}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 334:
 334:       "${aws_s3_bucket.loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 384:
 384:     resources = ["${aws_s3_bucket.loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 418:
 418:   log_destination_configs = ["${aws_s3_bucket.waf_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 438:
 438:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 477:
 477:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 502:
 502:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 509:
 509:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Trivy in terraform/environments/xhibit-portal
2024-10-23T00:57:54Z	INFO	[vulndb] Need to update DB
2024-10-23T00:57:54Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T00:57:54Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T00:57:56Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T00:57:56Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T00:57:56Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T00:57:56Z	INFO	[misconfig] Need to update the built-in checks
2024-10-23T00:57:56Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-23T00:57:57Z	INFO	[secret] Secret scanning is enabled
2024-10-23T00:57:57Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T00:57:57Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T00:57:58Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T00:57:58Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-23T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-23T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-23T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T00:57:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-23T00:57:59Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-23T00:58:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-23T00:58:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-10-23T00:58:01Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-10-23T00:58:01Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-10-23T00:58:02Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="scripts/perf/node_modules"
2024-10-23T00:58:02Z	INFO	Number of language-specific files	num=1
2024-10-23T00:58:02Z	INFO	[npm] Detecting vulnerabilities...
2024-10-23T00:58:02Z	INFO	Detected config files	num=17

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


scripts/perf/package-lock.json (npm)
====================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                          Title                           │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH     │ fixed  │ 8.5.19.0.0               │ jsonwebtoken: Unrestricted key type could lead to legacy │
│              │                │          │        │                   │                     │ keys usagen                                              │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-23539               │
├──────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver       │ CVE-2022-25883 │          │        │ 5.7.17.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service      │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25883               │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)
============================
Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:20
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  20 [     ipv6_cidr_blocks = ["::/0"]
  ..   
  32   }
────────────────────────────────────────


HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:19
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  19 [     cidr_blocks      = ["0.0.0.0/0"]
  ..   
  32   }
────────────────────────────────────────



ingestion-load-balancer.tf (terraform)
======================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ingestion-load-balancer.tf:59
   via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
  52   resource "aws_elb" "ingestion_lb" {
  ..   
  59 [   internal        = false
  ..   
  97   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────



prtg-load-balancer.tf (terraform)
=================================
Tests: 7 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.


See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 prtg-load-balancer.tf:82
   via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
  73   resource "aws_lb_listener" "prtg_lb_listener" {
  ..   
  82 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  90   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 prtg-load-balancer.tf:12-37
────────────────────────────────────────
  12resource "aws_lb" "prtg_lb" {
  1314 │   depends_on = [
  15 │     aws_security_group.prtg_lb,
  16 │   ]
  1718 │   name                       = "prtg-lb-${var.networking[0].application}"
  19 │   internal                   = false
  20 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 prtg-load-balancer.tf:19
   via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
  12   resource "aws_lb" "prtg_lb" {
  ..   
  19 [   internal                   = false
  ..   
  37   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────



waf-load-balancer.tf (terraform)
================================
Tests: 11 (SUCCESSES: 0, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.


See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 waf-load-balancer.tf:96
   via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
  87   resource "aws_lb_listener" "waf_lb_listener" {
  ..   
  96 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
 ...   
 104   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 waf-load-balancer.tf:27-52
────────────────────────────────────────
  27 ┌ resource "aws_lb" "waf_lb" {
  2829 │   depends_on = [
  30 │     aws_security_group.waf_lb,
  31 │   ]
  3233 │   name                       = "waf-lb-${var.networking[0].application}"
  34 │   internal                   = false
  35 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 waf-load-balancer.tf:34
   via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
  27   resource "aws_lb" "waf_lb" {
  ..   
  34 [   internal                   = false
  ..   
  52   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the Stale label Nov 22, 2024
Copy link
Contributor

github-actions bot commented Dec 2, 2024

This PR was closed because it has been stalled for 40 days with no activity.

@github-actions github-actions bot closed this Dec 2, 2024
@github-actions github-actions bot deleted the dependabot/terraform/terraform/environments/xhibit-portal/bastion_linux--github--ministryofjustice/modernisation-platform-terraform-bastion-linux--v4.2.1-4.4.1 branch December 2, 2024 01:52
Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 2, 2024

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update Stale terraform Pull requests that update Terraform code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants