You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Trivy will check the following folders:
terraform/environments/corporate-information-system
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T15:49:22Z INFO [vulndb] Need to update DB
2024-12-19T15:49:22Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T15:49:22Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T15:49:25Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T15:49:25Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T15:49:25Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T15:49:25Z INFO [misconfig] Need to update the built-in checks
2024-12-19T15:49:25Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T15:49:25Z INFO [secret] Secret scanning is enabled
2024-12-19T15:49:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T15:49:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T15:49:26Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T15:49:26Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T15:49:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T15:49:29Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T15:49:29Z INFO Number of language-specific files num=0
2024-12-19T15:49:29Z INFO Detected config files num=4
trivy_exitcode=0
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 15:49:31,964 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 15:49:42,029 [MainThread ] [WARNI] Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
raw_data = hcl2.load(f)
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
return loads(file.read())
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
return hcl2.parse(text + "\n")
File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
tree = Hcl2.lark_parser.parse(text)
File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
return self.parser.parse(text, start=start, on_error=on_error)
File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
return self.parser.parse(stream, chosen_start, **kw)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
return self.parser.parse(lexer, start)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
return self.parse_from_state(parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
for token in state.lexer.lex(state):
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
yield lexer.next_token(lexer_state, parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
res = self.match(lex_state.text, line_ctr.char_pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
return self.scanner.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
m = mre.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:
Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:72-120
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
72 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
73 | name = "${local.application_name_short}-s3fs-policy"
74 | role = aws_iam_role.cis_s3fs_role.id
75 |
76 | policy = jsonencode({
77 | Version = "2012-10-17"
78 | Statement = [
79 | {
80 | "Action" : [
81 | "s3:*"
82 | ],
83 | "Resource" : [
84 | "arn:aws:s3:::laa-software-bucket2",
85 | "arn:aws:s3:::laa-software-bucket2/*",
86 | "arn:aws:s3:::laa-software-library",
87 | "arn:aws:s3:::laa-software-library/*",
88 | "arn:aws:s3:::laa-cis-inbound-production",
89 | "arn:aws:s3:::laa-cis-inbound-production/*",
90 | "arn:aws:s3:::laa-cis-outbound-production",
91 | "arn:aws:s3:::laa-cis-outbound-production/*",
92 | "arn:aws:s3:::laa-ccms-outbound-production",
93 | "arn:aws:s3:::laa-ccms-outbound-production/*",
94 | "arn:aws:s3:::laa-ccms-inbound-production",
95 | "arn:aws:s3:::laa-ccms-inbound-production/*"
96 | ],
97 | "Effect" : "Allow"
98 | },
99 | {
100 | "Action" : [
101 | "logs:CreateLogGroup",
102 | "logs:CreateLogStream",
103 | "logs:DescribeLogStreams",
104 | "logs:PutRetentionPolicy",
105 | "logs:PutLogEvents",
106 | "ec2:DescribeInstances"
107 | ],
108 | "Resource" : "*",
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "ec2:CreateTags"
114 | ],
115 | "Resource" : "*",
116 | "Effect" : "Allow"
117 | }
118 | ]
119 | })
120 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:72-120
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
72 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
73 | name = "${local.application_name_short}-s3fs-policy"
74 | role = aws_iam_role.cis_s3fs_role.id
75 |
76 | policy = jsonencode({
77 | Version = "2012-10-17"
78 | Statement = [
79 | {
80 | "Action" : [
81 | "s3:*"
82 | ],
83 | "Resource" : [
84 | "arn:aws:s3:::laa-software-bucket2",
85 | "arn:aws:s3:::laa-software-bucket2/*",
86 | "arn:aws:s3:::laa-software-library",
87 | "arn:aws:s3:::laa-software-library/*",
88 | "arn:aws:s3:::laa-cis-inbound-production",
89 | "arn:aws:s3:::laa-cis-inbound-production/*",
90 | "arn:aws:s3:::laa-cis-outbound-production",
91 | "arn:aws:s3:::laa-cis-outbound-production/*",
92 | "arn:aws:s3:::laa-ccms-outbound-production",
93 | "arn:aws:s3:::laa-ccms-outbound-production/*",
94 | "arn:aws:s3:::laa-ccms-inbound-production",
95 | "arn:aws:s3:::laa-ccms-inbound-production/*"
96 | ],
97 | "Effect" : "Allow"
98 | },
99 | {
100 | "Action" : [
101 | "logs:CreateLogGroup",
102 | "logs:CreateLogStream",
103 | "logs:DescribeLogStreams",
104 | "logs:PutRetentionPolicy",
105 | "logs:PutLogEvents",
106 | "ec2:DescribeInstances"
107 | ],
108 | "Resource" : "*",
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "ec2:CreateTags"
114 | ],
115 | "Resource" : "*",
116 | "Effect" : "Allow"
117 | }
118 | ]
119 | })
120 | }
checkov_exitcode=1
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T15:49:22Z INFO [vulndb] Need to update DB
2024-12-19T15:49:22Z INFO [vulndb] Downloading vulnerability DB...2024-12-19T15:49:22Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T15:49:25Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T15:49:25Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T15:49:25Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T15:49:25Z INFO [misconfig] Need to update the built-in checks
2024-12-19T15:49:25Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2024-12-19T15:49:25Z INFO [secret] Secret scanning is enabled
2024-12-19T15:49:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T15:49:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2024-12-19T15:49:26Z INFO [terraformscanner] Scanning root module file_path="."2024-12-19T15:49:26Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-12-19T15:49:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2024-12-19T15:49:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2024-12-19T15:49:27Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T15:49:27Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T15:49:29Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2024-12-19T15:49:29Z INFO Number of language-specific files num=02024-12-19T15:49:29Z INFO Detected config files num=4trivy_exitcode=0
Trivy will check the following folders:
terraform/environments/corporate-information-system
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T16:07:12Z INFO [vulndb] Need to update DB
2024-12-19T16:07:12Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T16:07:12Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T16:07:14Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T16:07:14Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T16:07:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T16:07:14Z INFO [misconfig] Need to update the built-in checks
2024-12-19T16:07:14Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-19T16:07:15Z INFO [secret] Secret scanning is enabled
2024-12-19T16:07:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T16:07:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T16:07:16Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T16:07:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T16:07:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T16:07:18Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T16:07:18Z INFO Number of language-specific files num=0
2024-12-19T16:07:18Z INFO Detected config files num=4
trivy_exitcode=0
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 16:07:21,463 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 16:07:31,518 [MainThread ] [WARNI] Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
raw_data = hcl2.load(f)
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
return loads(file.read())
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
return hcl2.parse(text + "\n")
File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
tree = Hcl2.lark_parser.parse(text)
File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
return self.parser.parse(text, start=start, on_error=on_error)
File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
return self.parser.parse(stream, chosen_start, **kw)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
return self.parser.parse(lexer, start)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
return self.parse_from_state(parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
for token in state.lexer.lex(state):
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
yield lexer.next_token(lexer_state, parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
res = self.match(lex_state.text, line_ctr.char_pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
return self.scanner.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
m = mre.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:
Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:72-120
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
72 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
73 | name = "${local.application_name_short}-s3fs-policy"
74 | role = aws_iam_role.cis_s3fs_role.id
75 |
76 | policy = jsonencode({
77 | Version = "2012-10-17"
78 | Statement = [
79 | {
80 | "Action" : [
81 | "s3:*"
82 | ],
83 | "Resource" : [
84 | "arn:aws:s3:::laa-software-bucket2",
85 | "arn:aws:s3:::laa-software-bucket2/*",
86 | "arn:aws:s3:::laa-software-library",
87 | "arn:aws:s3:::laa-software-library/*",
88 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
89 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
90 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
91 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
92 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
93 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
94 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
95 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
96 | ],
97 | "Effect" : "Allow"
98 | },
99 | {
100 | "Action" : [
101 | "logs:CreateLogGroup",
102 | "logs:CreateLogStream",
103 | "logs:DescribeLogStreams",
104 | "logs:PutRetentionPolicy",
105 | "logs:PutLogEvents",
106 | "ec2:DescribeInstances"
107 | ],
108 | "Resource" : "*",
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "ec2:CreateTags"
114 | ],
115 | "Resource" : "*",
116 | "Effect" : "Allow"
117 | }
118 | ]
119 | })
120 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:72-120
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
72 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
73 | name = "${local.application_name_short}-s3fs-policy"
74 | role = aws_iam_role.cis_s3fs_role.id
75 |
76 | policy = jsonencode({
77 | Version = "2012-10-17"
78 | Statement = [
79 | {
80 | "Action" : [
81 | "s3:*"
82 | ],
83 | "Resource" : [
84 | "arn:aws:s3:::laa-software-bucket2",
85 | "arn:aws:s3:::laa-software-bucket2/*",
86 | "arn:aws:s3:::laa-software-library",
87 | "arn:aws:s3:::laa-software-library/*",
88 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
89 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
90 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
91 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
92 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
93 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
94 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
95 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
96 | ],
97 | "Effect" : "Allow"
98 | },
99 | {
100 | "Action" : [
101 | "logs:CreateLogGroup",
102 | "logs:CreateLogStream",
103 | "logs:DescribeLogStreams",
104 | "logs:PutRetentionPolicy",
105 | "logs:PutLogEvents",
106 | "ec2:DescribeInstances"
107 | ],
108 | "Resource" : "*",
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "ec2:CreateTags"
114 | ],
115 | "Resource" : "*",
116 | "Effect" : "Allow"
117 | }
118 | ]
119 | })
120 | }
checkov_exitcode=1
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T16:07:12Z INFO [vulndb] Need to update DB
2024-12-19T16:07:12Z INFO [vulndb] Downloading vulnerability DB...2024-12-19T16:07:12Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T16:07:14Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T16:07:14Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T16:07:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T16:07:14Z INFO [misconfig] Need to update the built-in checks
2024-12-19T16:07:14Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [---------------------------------------------------------] 100.00%? p/s 0s2024-12-19T16:07:15Z INFO [secret] Secret scanning is enabled
2024-12-19T16:07:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T16:07:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2024-12-19T16:07:16Z INFO [terraformscanner] Scanning root module file_path="."2024-12-19T16:07:16Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-12-19T16:07:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2024-12-19T16:07:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2024-12-19T16:07:17Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T16:07:17Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T16:07:18Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2024-12-19T16:07:18Z INFO Number of language-specific files num=02024-12-19T16:07:18Z INFO Detected config files num=4trivy_exitcode=0
Trivy will check the following folders:
terraform/environments/corporate-information-system
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:23:12Z INFO [vulndb] Need to update DB
2024-12-19T17:23:12Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T17:23:12Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:23:14Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:23:14Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:23:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:23:14Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:23:14Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T17:23:14Z INFO [secret] Secret scanning is enabled
2024-12-19T17:23:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:23:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:23:15Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T17:23:15Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:23:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:23:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:23:17Z INFO Number of language-specific files num=0
2024-12-19T17:23:17Z INFO Detected config files num=4
trivy_exitcode=0
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 17:23:19,820 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 17:23:29,883 [MainThread ] [WARNI] Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
raw_data = hcl2.load(f)
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
return loads(file.read())
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
return hcl2.parse(text + "\n")
File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
tree = Hcl2.lark_parser.parse(text)
File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
return self.parser.parse(text, start=start, on_error=on_error)
File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
return self.parser.parse(stream, chosen_start, **kw)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
return self.parser.parse(lexer, start)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
return self.parse_from_state(parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
for token in state.lexer.lex(state):
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
yield lexer.next_token(lexer_state, parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
res = self.match(lex_state.text, line_ctr.char_pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
return self.scanner.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
m = mre.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:
Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
checkov_exitcode=1
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:23:12Z INFO [vulndb] Need to update DB
2024-12-19T17:23:12Z INFO [vulndb] Downloading vulnerability DB...2024-12-19T17:23:12Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T17:23:14Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T17:23:14Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:23:14Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:23:14Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:23:14Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2024-12-19T17:23:14Z INFO [secret] Secret scanning is enabled
2024-12-19T17:23:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:23:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2024-12-19T17:23:15Z INFO [terraformscanner] Scanning root module file_path="."2024-12-19T17:23:15Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-12-19T17:23:16Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2024-12-19T17:23:16Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2024-12-19T17:23:16Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T17:23:16Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T17:23:17Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2024-12-19T17:23:17Z INFO Number of language-specific files num=02024-12-19T17:23:17Z INFO Detected config files num=4trivy_exitcode=0
Trivy will check the following folders:
terraform/environments/corporate-information-system
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:27:04Z INFO [vulndb] Need to update DB
2024-12-19T17:27:04Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T17:27:04Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:27:06Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:27:06Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:27:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:27:06Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:27:06Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-19T17:27:07Z INFO [secret] Secret scanning is enabled
2024-12-19T17:27:07Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:27:07Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:27:08Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T17:27:08Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:27:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:27:09Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:27:09Z INFO Number of language-specific files num=0
2024-12-19T17:27:09Z INFO Detected config files num=4
trivy_exitcode=0
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 17:27:12,201 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 17:27:22,264 [MainThread ] [WARNI] Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
raw_data = hcl2.load(f)
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
return loads(file.read())
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
return hcl2.parse(text + "\n")
File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
tree = Hcl2.lark_parser.parse(text)
File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
return self.parser.parse(text, start=start, on_error=on_error)
File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
return self.parser.parse(stream, chosen_start, **kw)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
return self.parser.parse(lexer, start)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
return self.parse_from_state(parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
for token in state.lexer.lex(state):
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
yield lexer.next_token(lexer_state, parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
res = self.match(lex_state.text, line_ctr.char_pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
return self.scanner.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
m = mre.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:
Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
checkov_exitcode=1
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:27:04Z INFO [vulndb] Need to update DB
2024-12-19T17:27:04Z INFO [vulndb] Downloading vulnerability DB...2024-12-19T17:27:04Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T17:27:06Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T17:27:06Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:27:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:27:06Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:27:06Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2024-12-19T17:27:07Z INFO [secret] Secret scanning is enabled
2024-12-19T17:27:07Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:27:07Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2024-12-19T17:27:08Z INFO [terraformscanner] Scanning root module file_path="."2024-12-19T17:27:08Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-12-19T17:27:08Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2024-12-19T17:27:08Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2024-12-19T17:27:08Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T17:27:08Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T17:27:09Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2024-12-19T17:27:09Z INFO Number of language-specific files num=02024-12-19T17:27:09Z INFO Detected config files num=4trivy_exitcode=0
Trivy will check the following folders:
terraform/environments/corporate-information-system
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:28:48Z INFO [vulndb] Need to update DB
2024-12-19T17:28:48Z INFO [vulndb] Downloading vulnerability DB...
2024-12-19T17:28:48Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:28:50Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-19T17:28:50Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:28:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:28:50Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:28:50Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-19T17:28:51Z INFO [secret] Secret scanning is enabled
2024-12-19T17:28:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:28:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-19T17:28:52Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-19T17:28:52Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:28:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-19T17:28:54Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-19T17:28:54Z INFO Number of language-specific files num=0
2024-12-19T17:28:54Z INFO Detected config files num=4
trivy_exitcode=0
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-19 17:28:57,302 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2024-12-19 17:29:07,358 [MainThread ] [WARNI] Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
raw_data = hcl2.load(f)
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
return loads(file.read())
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
return hcl2.parse(text + "\n")
File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
tree = Hcl2.lark_parser.parse(text)
File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
return self.parser.parse(text, start=start, on_error=on_error)
File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
return self.parser.parse(stream, chosen_start, **kw)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
return self.parser.parse(lexer, start)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
return self.parse_from_state(parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
for token in state.lexer.lex(state):
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
yield lexer.next_token(lexer_state, parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
res = self.match(lex_state.text, line_ctr.char_pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
return self.scanner.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
m = mre.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:
Passed checks: 122, Failed checks: 6, Skipped checks: 0, Parsing errors: 1
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
checkov_exitcode=1
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Trivy in terraform/environments/corporate-information-system
2024-12-19T17:28:48Z INFO [vulndb] Need to update DB
2024-12-19T17:28:48Z INFO [vulndb] Downloading vulnerability DB...2024-12-19T17:28:48Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T17:28:50Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2024-12-19T17:28:50Z INFO [vuln] Vulnerability scanning is enabled
2024-12-19T17:28:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-19T17:28:50Z INFO [misconfig] Need to update the built-in checks
2024-12-19T17:28:50Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [---------------------------------------------------------] 100.00%? p/s 0s2024-12-19T17:28:51Z INFO [secret] Secret scanning is enabled
2024-12-19T17:28:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-19T17:28:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2024-12-19T17:28:52Z INFO [terraformscanner] Scanning root module file_path="."2024-12-19T17:28:52Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-12-19T17:28:53Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2024-12-19T17:28:53Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2024-12-19T17:28:53Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T17:28:53Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2024-12-19T17:28:54Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2024-12-19T17:28:54Z INFO Number of language-specific files num=02024-12-19T17:28:54Z INFO Detected config files num=4trivy_exitcode=0
Trivy will check the following folders:
terraform/environments/corporate-information-system
Running Trivy in terraform/environments/corporate-information-system
2025-01-10T12:36:06Z INFO [vulndb] Need to update DB
2025-01-10T12:36:06Z INFO [vulndb] Downloading vulnerability DB...
2025-01-10T12:36:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-10T12:36:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-10T12:36:08Z INFO [vuln] Vulnerability scanning is enabled
2025-01-10T12:36:08Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-10T12:36:08Z INFO [misconfig] Need to update the built-in checks
2025-01-10T12:36:08Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-10T12:36:08Z INFO [secret] Secret scanning is enabled
2025-01-10T12:36:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-10T12:36:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-10T12:36:10Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-10T12:36:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-10T12:36:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-01-10T12:36:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-01-10T12:36:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-10T12:36:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-10T12:36:11Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-01-10T12:36:11Z INFO Number of language-specific files num=0
2025-01-10T12:36:11Z INFO Detected config files num=4
trivy_exitcode=0
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Checkov in terraform/environments/corporate-information-system
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-10 12:36:14,328 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
2025-01-10 12:36:24,389 [MainThread ] [WARNI] Code block execution exceeded 10 seconds timeout
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/tf_parser.py", line 758, in __parse_with_timeout
raw_data = hcl2.load(f)
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 15, in load
return loads(file.read())
File "/usr/local/lib/python3.9/dist-packages/hcl2/api.py", line 89, in loads
return hcl2.parse(text + "\n")
File "/usr/local/lib/python3.9/dist-packages/hcl2/parser.py", line 50, in parse
tree = Hcl2.lark_parser.parse(text)
File "/usr/local/lib/python3.9/dist-packages/lark/lark.py", line 655, in parse
return self.parser.parse(text, start=start, on_error=on_error)
File "/usr/local/lib/python3.9/dist-packages/lark/parser_frontends.py", line 104, in parse
return self.parser.parse(stream, chosen_start, **kw)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 42, in parse
return self.parser.parse(lexer, start)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 88, in parse
return self.parse_from_state(parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/parsers/lalr_parser.py", line 100, in parse_from_state
for token in state.lexer.lex(state):
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 665, in lex
yield lexer.next_token(lexer_state, parser_state)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 593, in next_token
res = self.match(lex_state.text, line_ctr.char_pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 588, in match
return self.scanner.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/lark/lexer.py", line 389, in match
m = mre.match(text, pos)
File "/usr/local/lib/python3.9/dist-packages/checkov/common/util/stopit/signalstop.py", line 35, in handle_timeout
raise TimeoutException(f"Block exceeded maximum timeout value ({self.seconds} seconds).")
checkov.common.util.stopit.utils.TimeoutException: Block exceeded maximum timeout value (10 seconds).
terraform scan results:
Passed checks: 121, Failed checks: 6, Skipped checks: 0, Parsing errors: 1
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group_rule.app_outbound
File: /ec2.tf:170-177
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
170 | resource "aws_security_group_rule" "app_outbound" {
171 | type = "egress"
172 | from_port = 0
173 | to_port = 0
174 | protocol = "-1"
175 | cidr_blocks = ["0.0.0.0/0"]
176 | security_group_id = aws_security_group.ec2_instance_sg.id
177 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.cis_s3fs_policy
File: /iam.tf:84-132
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
84 | resource "aws_iam_role_policy" "cis_s3fs_policy" {
85 | name = "${local.application_name_short}-s3fs-policy"
86 | role = aws_iam_role.cis_s3fs_role.id
87 |
88 | policy = jsonencode({
89 | Version = "2012-10-17"
90 | Statement = [
91 | {
92 | "Action" : [
93 | "s3:*"
94 | ],
95 | "Resource" : [
96 | "arn:aws:s3:::laa-software-bucket2",
97 | "arn:aws:s3:::laa-software-bucket2/*",
98 | "arn:aws:s3:::laa-software-library",
99 | "arn:aws:s3:::laa-software-library/*",
100 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
101 | "arn:aws:s3:::laa-cis-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
102 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
103 | "arn:aws:s3:::laa-cis-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
104 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
105 | "arn:aws:s3:::laa-ccms-outbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*",
106 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}",
107 | "arn:aws:s3:::laa-ccms-inbound-${local.application_data.accounts[local.environment].s3_bucket_env}/*"
108 | ],
109 | "Effect" : "Allow"
110 | },
111 | {
112 | "Action" : [
113 | "logs:CreateLogGroup",
114 | "logs:CreateLogStream",
115 | "logs:DescribeLogStreams",
116 | "logs:PutRetentionPolicy",
117 | "logs:PutLogEvents",
118 | "ec2:DescribeInstances"
119 | ],
120 | "Resource" : "*",
121 | "Effect" : "Allow"
122 | },
123 | {
124 | "Action" : [
125 | "ec2:CreateTags"
126 | ],
127 | "Resource" : "*",
128 | "Effect" : "Allow"
129 | }
130 | ]
131 | })
132 | }
checkov_exitcode=1
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running tflint in terraform/environments/corporate-information-system
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Success
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/corporate-information-system
*****************************
Running Trivy in terraform/environments/corporate-information-system
2025-01-10T12:36:06Z INFO [vulndb] Need to update DB
2025-01-10T12:36:06Z INFO [vulndb] Downloading vulnerability DB...2025-01-10T12:36:06Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-10T12:36:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-10T12:36:08Z INFO [vuln] Vulnerability scanning is enabled
2025-01-10T12:36:08Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-10T12:36:08Z INFO [misconfig] Need to update the built-in checks
2025-01-10T12:36:08Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [---------------------------------------------------------] 100.00%? p/s 0s2025-01-10T12:36:08Z INFO [secret] Secret scanning is enabled
2025-01-10T12:36:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-10T12:36:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-10T12:36:10Z INFO [terraformscanner] Scanning root module file_path="."2025-01-10T12:36:10Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-10T12:36:10Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2025-01-10T12:36:10Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2025-01-10T12:36:10Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-10T12:36:10Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-10T12:36:11Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2025-01-10T12:36:11Z INFO Number of language-specific files num=02025-01-10T12:36:11Z INFO Detected config files num=4trivy_exitcode=0
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.