Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.0 in /terraform/environments/xhibit-portal #8280

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 16, 2024

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.4.0.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.4.0

What's Changed

  • All module resources use name_prefix instead of name to ensure uniqueness where possible.
  • The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.1...v4.4.0

v4.3.1

What's Fixed

  • The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.
  • The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

New Contributors

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits
  • 0145726 Merge pull request #572 from ministryofjustice/fix/hardcoded-policy-names
  • 3c66edb Merge pull request #573 from ministryofjustice/dependabot/github_actions/brid...
  • 21558c8 Bump bridgecrewio/checkov-action from 12.2877.0 to 12.2879.0
  • caddd82 replaced uses of name with name_prefix to ensure uniqueness
  • ab924e5 Merge pull request #571 from ministryofjustice/dependabot/github_actions/gith...
  • 0aeff36 Bump github/codeql-action from 3.26.12 to 3.26.13
  • 9a92439 Merge pull request #569 from ministryofjustice/feature/7569-unit-tests
  • 4d638cb Merge pull request #570 from ministryofjustice/dependabot/github_actions/mini...
  • 0f844c3 Update versions.tf
  • f820ed1 Update terraform-static-analysis.yml
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [bastion_linux::modernisation-platform-terraform-bastion-linux](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux) from 4.2.1 to 4.4.0.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.4.0)

---
updated-dependencies:
- dependency-name: bastion_linux::github::ministryofjustice/modernisation-platform-terraform-bastion-linux::v4.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner October 16, 2024 01:00
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Oct 16, 2024
@dependabot dependabot bot requested a review from a team as a code owner October 16, 2024 01:00
@dependabot dependabot bot added the terraform Pull requests that update Terraform code label Oct 16, 2024
@dependabot dependabot bot requested a review from a team as a code owner October 16, 2024 01:00
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 16, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/xhibit-portal


Running Trivy in terraform/environments/xhibit-portal
2024-10-16T01:01:41Z INFO [vulndb] Need to update DB
2024-10-16T01:01:41Z INFO [vulndb] Downloading vulnerability DB...
2024-10-16T01:01:41Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T01:01:43Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T01:01:43Z INFO [vuln] Vulnerability scanning is enabled
2024-10-16T01:01:43Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-16T01:01:43Z INFO [misconfig] Need to update the built-in checks
2024-10-16T01:01:43Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-16T01:01:43Z INFO [secret] Secret scanning is enabled
2024-10-16T01:01:43Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T01:01:43Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T01:01:45Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-16T01:01:45Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:51Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-16T01:01:51Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-10-16T01:01:51Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-10-16T01:01:51Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-10-16T01:01:51Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="scripts/perf/node_modules"
2024-10-16T01:01:51Z INFO Number of language-specific files num=1
2024-10-16T01:01:51Z INFO [npm] Detecting vulnerabilities...
2024-10-16T01:01:51Z INFO Detected config files num=17

For OSS Maintainers: VEX Notice

If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.

scripts/perf/package-lock.json (npm)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH │ fixed │ 8.5.1 │ 9.0.0 │ jsonwebtoken: Unrestricted key type could lead to legacy │
│ │ │ │ │ │ │ keys usagen │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23539
├──────────────┼────────────────┤ │ ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver │ CVE-2022-25883 │ │ │ 5.7.1 │ 7.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:20
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
20 [ ipv6_cidr_blocks = ["::/0"]
..
32 }
────────────────────────────────────────

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
importmachine.tf:19
via importmachine.tf:14-21 (ingress)
via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
1 resource "aws_security_group" "importmachine" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
32 }
────────────────────────────────────────

ingestion-load-balancer.tf (terraform)

Tests: 5 (SUCCESSES: 0, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ingestion-load-balancer.tf:59
via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
52 resource "aws_elb" "ingestion_lb" {
..
59 [ internal = false
..
97 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ingestion-load-balancer.tf:104-107
────────────────────────────────────────
104 ┌ resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
105 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
106 │ force_destroy = true
107 └ }
────────────────────────────────────────

prtg-load-balancer.tf (terraform)

Tests: 7 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
prtg-load-balancer.tf:82
via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
73 resource "aws_lb_listener" "prtg_lb_listener" {
..
82 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
90 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
prtg-load-balancer.tf:12-37
────────────────────────────────────────
12 ┌ resource "aws_lb" "prtg_lb" {
13 │
14 │ depends_on = [
15 │ aws_security_group.prtg_lb,
16 │ ]
17 │
18 │ name = "prtg-lb-${var.networking[0].application}"
19 │ internal = false
20 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
prtg-load-balancer.tf:19
via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
12 resource "aws_lb" "prtg_lb" {
..
19 [ internal = false
..
37 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
prtg-load-balancer.tf:212-216
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket" "prtg_logs" {
213 │ count = local.is-production ? 0 : 1
214 │ bucket = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
215 │ force_destroy = true
216 └ }
────────────────────────────────────────

waf-load-balancer.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
waf-load-balancer.tf:96
via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
87 resource "aws_lb_listener" "waf_lb_listener" {
..
96 [ ssl_policy = "ELBSecurityPolicy-2016-08"
...
104 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
waf-load-balancer.tf:27-52
────────────────────────────────────────
27 ┌ resource "aws_lb" "waf_lb" {
28 │
29 │ depends_on = [
30 │ aws_security_group.waf_lb,
31 │ ]
32 │
33 │ name = "waf-lb-${var.networking[0].application}"
34 │ internal = false
35 └ load_balancer_type = "application"
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
waf-load-balancer.tf:34
via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
27 resource "aws_lb" "waf_lb" {
..
34 [ internal = false
..
52 }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:298-301
────────────────────────────────────────
298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
299 │ bucket = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
300 │ force_destroy = true
301 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
waf-load-balancer.tf:393-397
────────────────────────────────────────
393 ┌ resource "aws_s3_bucket" "waf_logs" {
394 │ count = local.is-production ? 0 : 1
395 │ bucket = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
396 │ force_destroy = true
397 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Checkov in terraform/environments/xhibit-portal
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-16 01:01:54,262 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.0:None (for external modules, the --download-external-modules flag is required)
2024-10-16 01:01:54,262 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 557, Failed checks: 101, Skipped checks: 10

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:7-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		7  | module "bastion_linux" {
		8  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.0"
		9  | 
		10 |   providers = {
		11 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		12 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		13 |   }
		14 | 
		15 |   # s3 - used for logs and user ssh public keys
		16 |   bucket_name = "bastion"
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | 
		37 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.build-disk1
	File: /build-server.tf:46-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		46 | resource "aws_ebs_volume" "build-disk1" {
		47 |   depends_on        = [aws_instance.build-server]
		48 |   availability_zone = "${local.region}a"
		49 |   type              = "gp2"
		50 |   encrypted         = true
		51 | 
		52 |   snapshot_id = local.application_data.accounts[local.environment].buildserver-disk-1-snapshot
		53 | 
		54 |   tags = merge(
		55 |     local.tags,
		56 |     {
		57 |       Name = "build-disk1-${local.application_name}"
		58 |     }
		59 |   )
		60 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjim-disk1
	File: /cjim-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjim-disk1" {
		49 |   depends_on        = [aws_instance.cjim-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig04-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjim-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.cjip-disk1
	File: /cjip-server.tf:48-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		48 | resource "aws_ebs_volume" "cjip-disk1" {
		49 |   depends_on        = [aws_instance.cjip-server]
		50 |   availability_zone = "${local.region}a"
		51 |   type              = "gp2"
		52 |   encrypted         = true
		53 | 
		54 |   snapshot_id = local.application_data.accounts[local.environment].suprig05-disk-1-snapshot
		55 | 
		56 |   tags = merge(
		57 |     local.tags,
		58 |     {
		59 |       Name = "cjip-disk1-${local.application_name}"
		60 |     }
		61 |   )
		62 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.shared_cmk_policy
	File: /cms_key.tf:16-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-baremetal-disk1
	File: /database-server-baremetal.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "database-baremetal-disk1" {
		54 |   count             = local.only_in_production
		55 |   depends_on        = [aws_instance.database-server-baremetal]
		56 |   availability_zone = "${local.region}a"
		57 |   type              = "gp2"
		58 |   encrypted         = true
		59 |   size              = 4000
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "database-baremetal-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.app-baremetal-disk2
	File: /database-server-baremetal.tf:98-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		98  | resource "aws_ebs_volume" "app-baremetal-disk2" {
		99  |   count             = local.only_in_production
		100 |   depends_on        = [aws_instance.database-server-baremetal]
		101 |   availability_zone = "${local.region}a"
		102 |   type              = "gp2"
		103 |   encrypted         = true
		104 |   size              = 2000
		105 | 
		106 |   tags = merge(
		107 |     local.tags,
		108 |     {
		109 |       Name = "app-baremetal-disk2-${local.application_name}"
		110 |     }
		111 |   )
		112 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk1
	File: /database-server.tf:50-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		50 | resource "aws_ebs_volume" "database-disk1" {
		51 |   depends_on        = [aws_instance.database-server]
		52 |   availability_zone = "${local.region}a"
		53 |   type              = "gp2"
		54 |   encrypted         = true
		55 | 
		56 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-1-snapshot
		57 | 
		58 |   tags = merge(
		59 |     local.tags,
		60 |     {
		61 |       Name = "database-disk1-${local.application_name}"
		62 |     }
		63 |   )
		64 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk2
	File: /database-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "database-disk2" {
		78 |   depends_on        = [aws_instance.database-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "database-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk3
	File: /database-server.tf:102-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		102 | resource "aws_ebs_volume" "database-disk3" {
		103 |   depends_on        = [aws_instance.database-server]
		104 |   availability_zone = "${local.region}a"
		105 |   type              = "gp2"
		106 |   encrypted         = true
		107 | 
		108 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-3-snapshot
		109 | 
		110 |   tags = merge(
		111 |     local.tags,
		112 |     {
		113 |       Name = "database-disk3-${local.application_name}"
		114 |     }
		115 |   )
		116 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk4
	File: /database-server.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		126 | resource "aws_ebs_volume" "database-disk4" {
		127 |   depends_on        = [aws_instance.database-server]
		128 |   availability_zone = "${local.region}a"
		129 |   type              = "gp2"
		130 |   encrypted         = true
		131 | 
		132 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-4-snapshot
		133 | 
		134 |   tags = merge(
		135 |     local.tags,
		136 |     {
		137 |       Name = "database-disk4-${local.application_name}"
		138 |     }
		139 |   )
		140 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk5
	File: /database-server.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		150 | resource "aws_ebs_volume" "database-disk5" {
		151 |   depends_on        = [aws_instance.database-server]
		152 |   availability_zone = "${local.region}a"
		153 |   type              = "gp2"
		154 |   encrypted         = true
		155 | 
		156 |   snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-5-snapshot
		157 | 
		158 |   tags = merge(
		159 |     local.tags,
		160 |     {
		161 |       Name = "database-disk5-${local.application_name}"
		162 |     }
		163 |   )
		164 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk6
	File: /database-server.tf:175-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		175 | resource "aws_ebs_volume" "database-disk6" {
		176 |   depends_on        = [aws_instance.database-server]
		177 |   availability_zone = "${local.region}a"
		178 |   type              = "gp2"
		179 |   encrypted         = true
		180 | 
		181 |   #snapshot_id = local.application_data.accounts[local.environment].suprig01-disk-6-snapshot
		182 | 
		183 |   size = 300
		184 | 
		185 |   tags = merge(
		186 |     local.tags,
		187 |     {
		188 |       Name = "database-disk6-${local.application_name}"
		189 |     }
		190 |   )
		191 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.database-disk7
	File: /database-server.tf:201-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		201 | resource "aws_ebs_volume" "database-disk7" {
		202 |   depends_on        = [aws_instance.database-server]
		203 |   availability_zone = "${local.region}a"
		204 |   type              = "gp2"
		205 |   encrypted         = true
		206 | 
		207 |   size = 300
		208 | 
		209 |   tags = merge(
		210 |     local.tags,
		211 |     {
		212 |       Name = "database-disk7-${local.application_name}"
		213 |     }
		214 |   )
		215 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.infra1-disk1
	File: /domain-controllers.tf:146-159
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		146 | resource "aws_ebs_volume" "infra1-disk1" {
		147 |   availability_zone = "${local.region}a"
		148 |   type              = "gp2"
		149 |   encrypted         = true
		150 | 
		151 |   snapshot_id = local.application_data.accounts[local.environment].infra1-disk-1-snapshot
		152 | 
		153 |   tags = merge(
		154 |     local.tags,
		155 |     {
		156 |       Name = "infra1-disk1-${local.application_name}"
		157 |     }
		158 |   )
		159 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk1
	File: /exchange-server.tf:53-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		53 | resource "aws_ebs_volume" "exchange-disk1" {
		54 |   depends_on        = [aws_instance.exchange-server]
		55 |   availability_zone = "${local.region}a"
		56 |   type              = "gp2"
		57 |   encrypted         = true
		58 | 
		59 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-1-snapshot
		60 | 
		61 |   tags = merge(
		62 |     local.tags,
		63 |     {
		64 |       Name = "exchange-disk1-${local.application_name}"
		65 |     }
		66 |   )
		67 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.exchange-disk2
	File: /exchange-server.tf:77-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		77 | resource "aws_ebs_volume" "exchange-disk2" {
		78 |   depends_on        = [aws_instance.exchange-server]
		79 |   availability_zone = "${local.region}a"
		80 |   type              = "gp2"
		81 |   encrypted         = true
		82 | 
		83 |   snapshot_id = local.application_data.accounts[local.environment].infra6-disk-2-snapshot
		84 | 
		85 |   tags = merge(
		86 |     local.tags,
		87 |     {
		88 |       Name = "exchange-disk2-${local.application_name}"
		89 |     }
		90 |   )
		91 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_277: "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-group-does-not-allow-all-traffic-on-all-ports

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.importmachine
	File: /importmachine.tf:1-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "importmachine" {
		2  |   description = "Configure importmachine access - ingress should be only from Bastion"
		3  |   name        = "importmachine-${local.application_name}"
		4  |   vpc_id      = local.vpc_id
		5  | 
		6  |   ingress {
		7  |     description     = "SSH from Bastion"
		8  |     from_port       = 0
		9  |     to_port         = "3389"
		10 |     protocol        = "TCP"
		11 |     security_groups = [module.bastion_linux.bastion_security_group]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description      = "from all"
		16 |     from_port        = 0
		17 |     to_port          = 0
		18 |     protocol         = "-1"
		19 |     cidr_blocks      = ["0.0.0.0/0"]
		20 |     ipv6_cidr_blocks = ["::/0"]
		21 |   }
		22 | 
		23 |   egress {
		24 |     description      = "allow all"
		25 |     from_port        = 0
		26 |     to_port          = 0
		27 |     protocol         = "-1"
		28 |     cidr_blocks      = ["0.0.0.0/0"]
		29 |     ipv6_cidr_blocks = ["::/0"]
		30 |   }
		31 | 
		32 | }

Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_ebs_volume.disk_xvdf
	File: /importmachine.tf:89-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-109

		89  | resource "aws_ebs_volume" "disk_xvdf" {
		90  |   depends_on        = [aws_instance.importmachine]
		91  |   snapshot_id       = local.application_data.accounts[local.environment].importmachine-data-snapshot
		92  |   availability_zone = "${local.region}a"
		93  |   type              = "gp2"
		94  |   encrypted         = true
		95  |   size              = 6000
		96  | 
		97  |   tags = merge(
		98  |     local.tags,
		99  |     {
		100 |       Name = "importmachine-${local.application_name}-disk"
		101 |     }
		102 |   )
		103 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vm-import
	File: /importrole.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		1  | module "vm-import" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
		4  | 
		5  |   bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
		6  |   tags             = local.tags
		7  |   application_name = local.application_name
		8  |   account_number   = local.environment_management.account_ids[terraform.workspace]
		9  | 
		10 | }

Check: CKV_AWS_376: "Ensure AWS Elastic Load Balancer listener uses TLS/SSL"
	FAILED for resource: aws_elb.ingestion_lb
	File: /ingestion-load-balancer.tf:52-97

		52 | resource "aws_elb" "ingestion_lb" {
		53 | 
		54 |   depends_on = [
		55 |     aws_security_group.ingestion_lb,
		56 |   ]
		57 | 
		58 |   name            = "ingestion-lb-${var.networking[0].application}"
		59 |   internal        = false
		60 |   security_groups = [aws_security_group.ingestion_lb.id]
		61 |   subnets         = data.aws_subnets.ingestion-shared-public.ids
		62 | 
		63 |   access_logs {
		64 |     bucket        = aws_s3_bucket.loadbalancer_logs.bucket
		65 |     bucket_prefix = "http-lb"
		66 |     enabled       = true
		67 |   }
		68 | 
		69 |   listener {
		70 |     instance_port      = 80
		71 |     instance_protocol  = "http"
		72 |     lb_port            = 443
		73 |     lb_protocol        = "https"
		74 |     ssl_certificate_id = data.aws_acm_certificate.ingestion_lb_cert.arn
		75 |   }
		76 | 
		77 |   health_check {
		78 |     healthy_threshold   = 6
		79 |     unhealthy_threshold = 2
		80 |     timeout             = 2
		81 |     target              = "HTTP:80/"
		82 |     interval            = 5
		83 |   }
		84 | 
		85 |   instances                   = [aws_instance.cjip-server.id]
		86 |   cross_zone_load_balancing   = true
		87 |   idle_timeout                = 400
		88 |   connection_draining         = true
		89 |   connection_draining_timeout = 400
		90 | 
		91 |   tags = merge(
		92 |     local.tags,
		93 |     {
		94 |       Name = "ingestion-lb-${var.networking[0].application}"
		95 |     },
		96 |   )
		97 | }

Check: CKV_AWS_213: "Ensure ELB Policy uses only secure protocols"
	FAILED for resource: aws_load_balancer_policy.ingestion-ssl
	File: /ingestion-load-balancer.tf:199-674
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-elb-policy-uses-only-secure-protocols

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.root_snapshot_to_ami
	File: /lambda.tf:57-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		57 | resource "aws_lambda_function" "root_snapshot_to_ami" {
		58 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		59 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		60 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		61 |   filename                       = "lambda/lambda_function.zip"
		62 |   function_name                  = "root_snapshot_to_ami"
		63 |   role                           = aws_iam_role.snapshot_lambda.arn
		64 |   handler                        = "index.lambda_handler"
		65 |   source_code_hash               = data.archive_file.lambda_zip.output_base64sha256
		66 |   runtime                        = "python3.8"
		67 |   timeout                        = "120"
		68 |   reserved_concurrent_executions = 1
		69 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_old_ami
	File: /lambda.tf:150-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		150 | resource "aws_lambda_function" "delete_old_ami" {
		151 |   # checkov:skip=CKV_AWS_50: "X-ray tracing is not required"
		152 |   # checkov:skip=CKV_AWS_117: "Lambda is not environment specific"
		153 |   # checkov:skip=CKV_AWS_116: "DLQ not required"
		154 |   filename         = "lambda/delete_old_ami.zip"
		155 |   function_name    = "delete_old_ami"
		156 |   role             = aws_iam_role.delete_snapshot_lambda.arn
		157 |   handler          = "delete_old_ami.lambda_handler"
		158 |   source_code_hash = data.archive_file.delete_lambda_zip.output_base64sha256
		159 |   runtime          = "python3.8"
		160 |   # "large" amount of memory because of the amount of snapshots
		161 |   memory_size                    = "1280"
		162 |   timeout                        = "240"
		163 |   reserved_concurrent_executions = 1
		164 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.prtg_lb
	File: /prtg-load-balancer.tf:12-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		12 | resource "aws_lb" "prtg_lb" {
		13 | 
		14 |   depends_on = [
		15 |     aws_security_group.prtg_lb,
		16 |   ]
		17 | 
		18 |   name                       = "prtg-lb-${var.networking[0].application}"
		19 |   internal                   = false
		20 |   load_balancer_type         = "application"
		21 |   security_groups            = [aws_security_group.prtg_lb.id]
		22 |   subnets                    = data.aws_subnets.prtg-shared-public.ids
		23 |   enable_deletion_protection = false
		24 | 
		25 |   access_logs {
		26 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		27 |     prefix  = "http-lb"
		28 |     enabled = true
		29 |   }
		30 | 
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "prtg-lb-${var.networking[0].application}"
		35 |     },
		36 |   )
		37 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.prtg_acl
	File: /prtg-load-balancer.tf:138-204
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.sms-server
	File: /sms-server.tf:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "sms-server" {
		2  |   depends_on                  = [aws_security_group.sms_server]
		3  |   instance_type               = "t3.large"
		4  |   ami                         = local.application_data.accounts[local.environment].XHBPRESMS01-ami
		5  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.gary.key_name
		11 |   #key_name                    = aws_key_pair.george.key_name
		12 |   iam_instance_profile = aws_iam_instance_profile.ec2_xp_profile.id
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted = true
		21 |     tags = {
		22 |       Name = "root-block-device-sms-server-${local.application_name}"
		23 |     }
		24 |   }
		25 | 
		26 |   lifecycle {
		27 |     ignore_changes = [
		28 |       # This prevents clobbering the tags of attached EBS volumes. See
		29 |       # [this bug][1] in the AWS provider upstream.
		30 |       #
		31 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		32 |       volume_tags,
		33 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		34 |       #root_block_device,
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = false
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "sms-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.waf_lb
	File: /waf-load-balancer.tf:27-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		27 | resource "aws_lb" "waf_lb" {
		28 | 
		29 |   depends_on = [
		30 |     aws_security_group.waf_lb,
		31 |   ]
		32 | 
		33 |   name                       = "waf-lb-${var.networking[0].application}"
		34 |   internal                   = false
		35 |   load_balancer_type         = "application"
		36 |   security_groups            = [aws_security_group.waf_lb.id]
		37 |   subnets                    = data.aws_subnets.waf-shared-public.ids
		38 |   enable_deletion_protection = false
		39 | 
		40 |   access_logs {
		41 |     bucket  = aws_s3_bucket.loadbalancer_logs.bucket
		42 |     prefix  = "http-lb"
		43 |     enabled = true
		44 |   }
		45 | 
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Name = "waf-lb-${var.networking[0].application}"
		50 |     },
		51 |   )
		52 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.waf_lb_web_tg
	File: /waf-load-balancer.tf:54-78

		54 | resource "aws_lb_target_group" "waf_lb_web_tg" {
		55 |   depends_on           = [aws_lb.waf_lb]
		56 |   name                 = "waf-lb-web-tg-${var.networking[0].application}"
		57 |   port                 = 80
		58 |   protocol             = "HTTP"
		59 |   deregistration_delay = "30"
		60 |   vpc_id               = local.vpc_id
		61 | 
		62 |   health_check {
		63 |     path                = "/Secure/Default.aspx"
		64 |     port                = 80
		65 |     healthy_threshold   = 6
		66 |     unhealthy_threshold = 2
		67 |     timeout             = 2
		68 |     interval            = 5
		69 |     matcher             = "302" # change this to 200 when the database comes up
		70 |   }
		71 | 
		72 |   tags = merge(
		73 |     local.tags,
		74 |     {
		75 |       Name = "waf-lb_-g-${var.networking[0].application}"
		76 |     },
		77 |   )
		78 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.waf_acl
	File: /waf-load-balancer.tf:224-290
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/aladmin@cjse.sema.local"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ingest_root_ca_cert
	File: /xp-secrets.tf:165-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		165 | resource "aws_secretsmanager_secret" "ingest_root_ca_cert" {
		166 |   name        = "${local.environment}/ingest-root-ca-cert"
		167 |   description = "Root CA certificate data for the Ingest service"
		168 |   policy      = <<POLICY
		169 | {
		170 |   "Version" : "2012-10-17",
		171 |   "Statement" : [ {
		172 |     "Sid" : "AdministratorFullAccess",
		173 |     "Effect" : "Allow",
		174 |     "Principal" : {
		175 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		176 |     },
		177 |     "Action" : "secretsmanager:*",
		178 |     "Resource" : "*"
		179 |   },
		180 |   {
		181 |     "Sid" : "MPDeveloperFullAccess",
		182 |     "Effect" : "Allow",
		183 |     "Principal" : {
		184 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		185 |     },
		186 |     "Action" : "secretsmanager:*",  
		187 |     "Resource" : "*"
		188 |   } ]
		189 | }
		190 | POLICY
		191 | 
		192 |   tags = local.tags
		193 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.zgit
	File: /xp-secrets.tf:15-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		15 | resource "aws_secretsmanager_secret" "zgit" {
		16 |   name        = "${local.environment}/zgit.pem"
		17 |   description = "key pair used for the zgit-server-xhibit-portal"
		18 |   policy      = <<POLICY
		19 | {
		20 |   "Version" : "2012-10-17",
		21 |   "Statement" : [ {
		22 |     "Sid" : "AdministratorFullAccess",
		23 |     "Effect" : "Allow",
		24 |     "Principal" : {
		25 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		26 |     },
		27 |     "Action" : "secretsmanager:*",
		28 |     "Resource" : "*"
		29 |   },
		30 |   {
		31 |     "Sid" : "MPDeveloperFullAccess",
		32 |     "Effect" : "Allow",
		33 |     "Principal" : {
		34 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		35 |     },
		36 |     "Action" : "secretsmanager:*",  
		37 |     "Resource" : "*"
		38 |   } ]
		39 | }
		40 | POLICY
		41 | 
		42 |   tags = local.tags
		43 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.prtgadmin
	File: /xp-secrets.tf:45-73
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "prtgadmin" {
		46 |   name        = "${local.environment}/prtgadmin"
		47 |   description = "Root admin account used for the PRTG monitoring application on the import machine"
		48 |   policy      = <<POLICY
		49 | {
		50 |   "Version" : "2012-10-17",
		51 |   "Statement" : [ {
		52 |     "Sid" : "AdministratorFullAccess",
		53 |     "Effect" : "Allow",
		54 |     "Principal" : {
		55 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		56 |     },
		57 |     "Action" : "secretsmanager:*",
		58 |     "Resource" : "*"
		59 |   },
		60 |   {
		61 |     "Sid" : "MPDeveloperFullAccess",
		62 |     "Effect" : "Allow",
		63 |     "Principal" : {
		64 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		65 |     },
		66 |     "Action" : "secretsmanager:*",  
		67 |     "Resource" : "*"
		68 |   } ]
		69 | }
		70 | POLICY
		71 | 
		72 |   tags = local.tags
		73 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.george
	File: /xp-secrets.tf:75-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		75  | resource "aws_secretsmanager_secret" "george" {
		76  |   name        = "${local.environment}/george.pem"
		77  |   description = "Private key for keypair george"
		78  |   policy      = <<POLICY
		79  | {
		80  |   "Version" : "2012-10-17",
		81  |   "Statement" : [ {
		82  |     "Sid" : "AdministratorFullAccess",
		83  |     "Effect" : "Allow",
		84  |     "Principal" : {
		85  |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		86  |     },
		87  |     "Action" : "secretsmanager:*",
		88  |     "Resource" : "*"
		89  |   },
		90  |   {
		91  |     "Sid" : "MPDeveloperFullAccess",
		92  |     "Effect" : "Allow",
		93  |     "Principal" : {
		94  |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		95  |     },
		96  |     "Action" : "secretsmanager:*",  
		97  |     "Resource" : "*"
		98  |   } ]
		99  | }
		100 | POLICY
		101 | 
		102 |   tags = local.tags
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.aladmin
	File: /xp-secrets.tf:105-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		105 | resource "aws_secretsmanager_secret" "aladmin" {
		106 |   name        = "${local.environment}/aladmin"
		107 |   description = "The local admin password for the local user 'aladmin' on our domain joined EC2 instances"
		108 |   policy      = <<POLICY
		109 | {
		110 |   "Version" : "2012-10-17",
		111 |   "Statement" : [ {
		112 |     "Sid" : "AdministratorFullAccess",
		113 |     "Effect" : "Allow",
		114 |     "Principal" : {
		115 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		116 |     },
		117 |     "Action" : "secretsmanager:*",
		118 |     "Resource" : "*"
		119 |   },
		120 |   {
		121 |     "Sid" : "MPDeveloperFullAccess",
		122 |     "Effect" : "Allow",
		123 |     "Principal" : {
		124 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		125 |     },
		126 |     "Action" : "secretsmanager:*",  
		127 |     "Resource" : "*"
		128 |   } ]
		129 | }
		130 | POLICY
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.domainadmin-aladmin
	File: /xp-secrets.tf:135-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		135 | resource "aws_secretsmanager_secret" "domainadmin-aladmin" {
		136 |   name        = "${local.environment}/aladmin@cjse.sema.local"
		137 |   description = "Domain admin account"
		138 |   policy      = <<POLICY
		139 | {
		140 |   "Version" : "2012-10-17",
		141 |   "Statement" : [ {
		142 |     "Sid" : "AdministratorFullAccess",
		143 |     "Effect" : "Allow",
		144 |     "Principal" : {
		145 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		146 |     },
		147 |     "Action" : "secretsmanager:*",
		148 |     "Resource" : "*"
		149 |   },
		150 |   {
		151 |     "Sid" : "MPDeveloperFullAccess",
		152 |     "Effect" : "Allow",
		153 |     "Principal" : {
		154 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		155 |     },
		156 |     "Action" : "secretsmanager:*",  
		157 |     "Resource" : "*"
		158 |   } ]
		159 | }
		160 | POLICY
		161 | 
		162 |   tags = local.tags
		163 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ingest_root_ca_cert
	File: /xp-secrets.tf:165-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		165 | resource "aws_secretsmanager_secret" "ingest_root_ca_cert" {
		166 |   name        = "${local.environment}/ingest-root-ca-cert"
		167 |   description = "Root CA certificate data for the Ingest service"
		168 |   policy      = <<POLICY
		169 | {
		170 |   "Version" : "2012-10-17",
		171 |   "Statement" : [ {
		172 |     "Sid" : "AdministratorFullAccess",
		173 |     "Effect" : "Allow",
		174 |     "Principal" : {
		175 |       "AWS" : "${sort(data.aws_iam_roles.admin.arns)[0]}"
		176 |     },
		177 |     "Action" : "secretsmanager:*",
		178 |     "Resource" : "*"
		179 |   },
		180 |   {
		181 |     "Sid" : "MPDeveloperFullAccess",
		182 |     "Effect" : "Allow",
		183 |     "Principal" : {
		184 |        "AWS" : "${sort(data.aws_iam_roles.developer.arns)[0]}"
		185 |     },
		186 |     "Action" : "secretsmanager:*",  
		187 |     "Resource" : "*"
		188 |   } ]
		189 | }
		190 | POLICY
		191 | 
		192 |   tags = local.tags
		193 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ingestion_loadbalancer_logs
	File: /ingestion-load-balancer.tf:104-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		104 | resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
		105 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
		106 |   force_destroy = true
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.prtg_logs
	File: /prtg-load-balancer.tf:212-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		212 | resource "aws_s3_bucket" "prtg_logs" {
		213 |   count         = local.is-production ? 0 : 1
		214 |   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		215 |   force_destroy = true
		216 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.loadbalancer_logs
	File: /waf-load-balancer.tf:298-301
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		298 | resource "aws_s3_bucket" "loadbalancer_logs" {
		299 |   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
		300 |   force_destroy = true
		301 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.waf_logs
	File: /waf-load-balancer.tf:393-397
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		393 | resource "aws_s3_bucket" "waf_logs" {
		394 |   count         = local.is-production ? 0 : 1
		395 |   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
		396 |   force_destroy = true
		397 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.prtg_lb_listener
	File: /prtg-load-balancer.tf:73-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "prtg_lb_listener" {
		74 |   depends_on = [
		75 |     aws_acm_certificate_validation.prtg_lb_cert_validation,
		76 |     aws_lb_target_group.prtg_lb_web_tg
		77 |   ]
		78 | 
		79 |   load_balancer_arn = aws_lb.prtg_lb.arn
		80 |   port              = "443"
		81 |   protocol          = "HTTPS"
		82 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		83 |   certificate_arn   = aws_acm_certificate.prtg_lb_cert.arn
		84 |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		85 | 
		86 |   default_action {
		87 |     type             = "forward"
		88 |     target_group_arn = aws_lb_target_group.prtg_lb_web_tg.arn
		89 |   }
		90 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.waf_lb_listener
	File: /waf-load-balancer.tf:87-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		87  | resource "aws_lb_listener" "waf_lb_listener" {
		88  |   depends_on = [
		89  |     aws_acm_certificate_validation.waf_lb_cert_validation,
		90  |     aws_lb_target_group.waf_lb_web_tg
		91  |   ]
		92  | 
		93  |   load_balancer_arn = aws_lb.waf_lb.arn
		94  |   port              = "443"
		95  |   protocol          = "HTTPS"
		96  |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		97  |   certificate_arn   = aws_acm_certificate.waf_lb_cert.arn
		98  |   # certificate_arn   = data.aws_acm_certificate.ingestion_cert.arn 
		99  | 
		100 |   default_action {
		101 |     type             = "forward"
		102 |     target_group_arn = aws_lb_target_group.waf_lb_web_tg.arn
		103 |   }
		104 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.app-server
	File: /app-server.tf:1-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "app-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig02-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 |   metadata_options {
		13 |     http_tokens   = "required"
		14 |     http_endpoint = "enabled"
		15 |   }
		16 | 
		17 |   root_block_device {
		18 |     encrypted = true
		19 |     tags = {
		20 |       Name = "root-block-device-app-${local.application_name}"
		21 |     }
		22 |   }
		23 | 
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       # This prevents clobbering the tags of attached EBS volumes. See
		27 |       # [this bug][1] in the AWS provider upstream.
		28 |       #
		29 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		30 |       #volume_tags,
		31 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		32 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		33 |     ]
		34 | 
		35 |     prevent_destroy = true
		36 |   }
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Name = "app-${local.application_name}"
		42 |     }
		43 |   )
		44 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.build-server
	File: /build-server.tf:1-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "build-server" {
		2  |   depends_on                  = [aws_security_group.build_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].buildserver-ami
		5  |   vpc_security_group_ids      = [aws_security_group.build_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-build-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 |   }
		36 | 
		37 |   tags = merge(
		38 |     local.tags,
		39 |     {
		40 |       Name = "build-${local.application_name}"
		41 |     }
		42 |   )
		43 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjim-server
	File: /cjim-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjim-server" {
		2  |   depends_on                  = [aws_security_group.app_servers]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig04-ami
		5  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjim-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjim-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.cjip-server
	File: /cjip-server.tf:1-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "cjip-server" {
		2  |   depends_on                  = [aws_security_group.ingestion_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig05-ami
		5  |   vpc_security_group_ids      = [aws_security_group.ingestion_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-cjip-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		34 |     ]
		35 | 
		36 |     prevent_destroy = true
		37 |   }
		38 | 
		39 |   tags = merge(
		40 |     local.tags,
		41 |     {
		42 |       Name = "cjip-${local.application_name}"
		43 |     }
		44 |   )
		45 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server-baremetal
	File: /database-server-baremetal.tf:3-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		3  | resource "aws_instance" "database-server-baremetal" {
		4  |   # Used to only allow the bare metal server to deploy in prod
		5  |   count                       = local.only_in_production
		6  |   depends_on                  = [aws_security_group.sms_server]
		7  |   instance_type               = "c5d.metal"
		8  |   ami                         = local.application_data.accounts[local.environment].suprig01-baremetal-ami
		9  |   vpc_security_group_ids      = [aws_security_group.sms_server.id]
		10 |   monitoring                  = false
		11 |   associate_public_ip_address = false
		12 |   ebs_optimized               = false
		13 |   subnet_id                   = data.aws_subnet.private_az_a.id
		14 |   key_name                    = aws_key_pair.ben.key_name
		15 | 
		16 | 
		17 |   metadata_options {
		18 |     http_tokens   = "required"
		19 |     http_endpoint = "enabled"
		20 |   }
		21 | 
		22 |   root_block_device {
		23 |     encrypted   = true
		24 |     volume_size = 300
		25 |     tags = {
		26 |       Name = "root-block-device-baremetal-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       volume_tags,
		37 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		38 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		39 |     ]
		40 | 
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "baremetal-${local.application_name}"
		48 |     }
		49 |   )
		50 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.database-server
	File: /database-server.tf:2-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		2  | resource "aws_instance" "database-server" {
		3  |   depends_on                  = [aws_security_group.app_servers]
		4  |   instance_type               = "t2.medium"
		5  |   ami                         = local.application_data.accounts[local.environment].suprig01-ami
		6  |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		7  |   monitoring                  = false
		8  |   associate_public_ip_address = false
		9  |   ebs_optimized               = false
		10 |   subnet_id                   = data.aws_subnet.private_az_a.id
		11 |   key_name                    = aws_key_pair.george.key_name
		12 | 
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   root_block_device {
		20 |     encrypted   = true
		21 |     volume_size = 64
		22 |     tags = {
		23 |       Name = "root-block-device-database-${local.application_name}"
		24 |     }
		25 |   }
		26 | 
		27 |   lifecycle {
		28 |     ignore_changes = [
		29 |       # This prevents clobbering the tags of attached EBS volumes. See
		30 |       # [this bug][1] in the AWS provider upstream.
		31 |       #
		32 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		33 |       volume_tags,
		34 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		35 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		36 |     ]
		37 | 
		38 |     prevent_destroy = true
		39 |   }
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Name = "database-${local.application_name}"
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra1
	File: /domain-controllers.tf:103-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		103 | resource "aws_instance" "infra1" {
		104 |   instance_type               = "t2.small"
		105 |   ami                         = local.application_data.accounts[local.environment].infra1-ami
		106 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		107 |   monitoring                  = false
		108 |   associate_public_ip_address = false
		109 |   ebs_optimized               = false
		110 |   subnet_id                   = data.aws_subnet.private_az_a.id
		111 |   key_name                    = aws_key_pair.george.key_name
		112 | 
		113 | 
		114 |   metadata_options {
		115 |     http_tokens   = "required"
		116 |     http_endpoint = "enabled"
		117 |   }
		118 | 
		119 |   root_block_device {
		120 |     encrypted = true
		121 |     tags = {
		122 |       Name = "root-block-device-infra1-${local.application_name}"
		123 |     }
		124 |   }
		125 | 
		126 |   lifecycle {
		127 |     ignore_changes = [
		128 |       # This prevents clobbering the tags of attached EBS volumes. See
		129 |       # [this bug][1] in the AWS provider upstream.
		130 |       #
		131 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		132 |       #volume_tags,
		133 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		134 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		135 |     ]
		136 |   }
		137 | 
		138 |   tags = merge(
		139 |     local.tags,
		140 |     {
		141 |       Name = "infra1-${local.application_name}"
		142 |     }
		143 |   )
		144 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.infra2
	File: /domain-controllers.tf:169-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		169 | resource "aws_instance" "infra2" {
		170 |   depends_on                  = [aws_security_group.app_servers, aws_security_group.outbound_dns_resolver]
		171 |   instance_type               = "t2.small"
		172 |   ami                         = local.application_data.accounts[local.environment].infra2-ami
		173 |   vpc_security_group_ids      = [aws_security_group.app_servers.id]
		174 |   monitoring                  = false
		175 |   associate_public_ip_address = false
		176 |   ebs_optimized               = false
		177 |   subnet_id                   = data.aws_subnet.private_az_b.id
		178 |   key_name                    = aws_key_pair.george.key_name
		179 | 
		180 | 
		181 |   metadata_options {
		182 |     http_tokens   = "required"
		183 |     http_endpoint = "enabled"
		184 |   }
		185 | 
		186 |   root_block_device {
		187 |     encrypted = true
		188 |     tags = {
		189 |       Name = "root-block-device-infra2-${local.application_name}"
		190 |     }
		191 |   }
		192 | 
		193 |   lifecycle {
		194 |     ignore_changes = [
		195 |       # This prevents clobbering the tags of attached EBS volumes. See
		196 |       # [this bug][1] in the AWS provider upstream.
		197 |       #
		198 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		199 |       volume_tags,
		200 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		201 |       #root_block_device,
		202 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		203 |     ]
		204 | 
		205 |     prevent_destroy = true
		206 |   }
		207 | 
		208 |   tags = merge(
		209 |     local.tags,
		210 |     {
		211 |       Name = "infra2-${local.application_name}"
		212 |     }
		213 |   )
		214 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.exchange-server
	File: /exchange-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "exchange-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.exchange_server]
		9  |   instance_type               = "t2.medium"
		10 |   ami                         = local.application_data.accounts[local.environment].infra6-ami
		11 |   vpc_security_group_ids      = [aws_security_group.exchange_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-exchange-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = true
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "exchange-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.iisrelay-server
	File: /iisrelay-server.tf:6-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		6  | resource "aws_instance" "iisrelay-server" {
		7  | 
		8  |   depends_on                  = [aws_security_group.iisrelay_server]
		9  |   instance_type               = "t3.large"
		10 |   ami                         = local.application_data.accounts[local.environment].iisrelay-ami
		11 |   vpc_security_group_ids      = [aws_security_group.iisrelay_server.id]
		12 |   monitoring                  = true
		13 |   associate_public_ip_address = false
		14 |   ebs_optimized               = false
		15 |   subnet_id                   = data.aws_subnet.public_az_a.id
		16 |   key_name                    = aws_key_pair.george.key_name
		17 | 
		18 |   metadata_options {
		19 |     http_tokens   = "required"
		20 |     http_endpoint = "enabled"
		21 |   }
		22 | 
		23 |   root_block_device {
		24 |     encrypted = true
		25 |     tags = {
		26 |       Name = "root-block-device-iisrelay-server-${local.application_name}"
		27 |     }
		28 |   }
		29 | 
		30 |   lifecycle {
		31 |     ignore_changes = [
		32 |       # This prevents clobbering the tags of attached EBS volumes. See
		33 |       # [this bug][1] in the AWS provider upstream.
		34 |       #
		35 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		36 |       associate_public_ip_address,
		37 |       volume_tags,
		38 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		39 |       #root_block_device,
		40 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		41 |     ]
		42 |     prevent_destroy = false
		43 |   }
		44 | 
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "iisrelay-${local.application_name}"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.importmachine
	File: /importmachine.tf:49-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		49 | resource "aws_instance" "importmachine" {
		50 | 
		51 |   depends_on             = [aws_security_group.importmachine]
		52 |   instance_type          = "t3a.large"
		53 |   ami                    = local.application_data.accounts[local.environment].importmachine-ami
		54 |   vpc_security_group_ids = [aws_security_group.importmachine.id]
		55 |   monitoring             = true
		56 |   ebs_optimized          = true
		57 |   subnet_id              = data.aws_subnet.private_az_a.id
		58 |   key_name               = aws_key_pair.george.key_name
		59 | 
		60 |   metadata_options {
		61 |     http_tokens   = "required"
		62 |     http_endpoint = "enabled"
		63 |   }
		64 | 
		65 |   root_block_device {
		66 |     encrypted   = true
		67 |     volume_size = 70
		68 |   }
		69 | 
		70 |   lifecycle {
		71 |     ignore_changes = [
		72 |       # This prevents clobbering the tags of attached EBS volumes. See
		73 |       # [this bug][1] in the AWS provider upstream.
		74 | 
		75 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		76 |       volume_tags,
		77 |     ]
		78 |     prevent_destroy = true
		79 |   }
		80 | 
		81 |   tags = merge(
		82 |     local.tags,
		83 |     {
		84 |       Name = "importmachine-${local.application_name}"
		85 |     }
		86 |   )
		87 | }

Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
	FAILED for resource: aws_instance.portal-server
	File: /portal-server.tf:1-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance

		1  | resource "aws_instance" "portal-server" {
		2  |   depends_on                  = [aws_security_group.portal_server]
		3  |   instance_type               = "t2.medium"
		4  |   ami                         = local.application_data.accounts[local.environment].suprig03-ami
		5  |   vpc_security_group_ids      = [aws_security_group.portal_server.id]
		6  |   monitoring                  = false
		7  |   associate_public_ip_address = false
		8  |   ebs_optimized               = false
		9  |   subnet_id                   = data.aws_subnet.private_az_a.id
		10 |   key_name                    = aws_key_pair.george.key_name
		11 | 
		12 | 
		13 |   metadata_options {
		14 |     http_tokens   = "required"
		15 |     http_endpoint = "enabled"
		16 |   }
		17 | 
		18 |   root_block_device {
		19 |     encrypted = true
		20 |     tags = {
		21 |       Name = "root-block-device-portal-${local.application_name}"
		22 |     }
		23 |   }
		24 | 
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       # This prevents clobbering the tags of attached EBS volumes. See
		28 |       # [this bug][1] in the AWS provider upstream.
		29 |       #
		30 |       # [1]: https://github.com/terraform-providers/terraform-provider-aws/issues/770
		31 |       volume_tags,
		32 |       #user_data,         # Prevent changes to user_data from destroying existing EC2s
		33 |       #root_block_device,
		34 |       # Prevent changes to encryption from destroying existing EC2s - can delete once encryption complete
		35 |     ]
		36 | 
		37 |     prevent_destroy = true
		38 |   }
		39 | 
		40 |   tags = merge(
		41 |     local.tags,
		42 |     {
		43 |       Name = "portal-${local.application_name}"
		44 |     }
		45 |   )
		46 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running tflint in terraform/environments/xhibit-portal
Excluding the following checks: terraform_unused_declarations
18 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import" is not pinned (terraform_module_pinned_source)

  on terraform/environments/xhibit-portal/importrole.tf line 3:
   3:   source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 140:
 140:       "${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/ingestion-load-balancer.tf line 190:
 190:     resources = ["${aws_s3_bucket.ingestion_loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/xhibit-portal/lambda.tf line 141:
 141: data "archive_file" "delete_lambda_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 98:
  98:     "${local.application_data.accounts[local.environment].public_dns_name_prtg}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 237:
 237:   log_destination_configs = ["${aws_s3_bucket.prtg_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 257:
 257:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 296:
 296:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 321:
 321:       "${aws_s3_bucket.prtg_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/prtg-load-balancer.tf line 328:
 328:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 184:
 184:     "${local.application_data.accounts[local.environment].public_dns_name_web}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 334:
 334:       "${aws_s3_bucket.loadbalancer_logs.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 384:
 384:     resources = ["${aws_s3_bucket.loadbalancer_logs.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 418:
 418:   log_destination_configs = ["${aws_s3_bucket.waf_logs[0].arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 438:
 438:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 477:
 477:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 502:
 502:       "${aws_s3_bucket.waf_logs[0].arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/xhibit-portal/waf-load-balancer.tf line 509:
 509:         "${data.aws_caller_identity.current.account_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/xhibit-portal

*****************************

Running Trivy in terraform/environments/xhibit-portal
2024-10-16T01:01:41Z	INFO	[vulndb] Need to update DB
2024-10-16T01:01:41Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-16T01:01:41Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T01:01:43Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-16T01:01:43Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-16T01:01:43Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-16T01:01:43Z	INFO	[misconfig] Need to update the built-in checks
2024-10-16T01:01:43Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-16T01:01:43Z	INFO	[secret] Secret scanning is enabled
2024-10-16T01:01:43Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-16T01:01:43Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-16T01:01:45Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-16T01:01:45Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-16T01:01:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.vm-import.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-16T01:01:51Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.4.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-16T01:01:51Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2024-10-16T01:01:51Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:57-69"
2024-10-16T01:01:51Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="lambda.tf:150-164"
2024-10-16T01:01:51Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="scripts/perf/node_modules"
2024-10-16T01:01:51Z	INFO	Number of language-specific files	num=1
2024-10-16T01:01:51Z	INFO	[npm] Detecting vulnerabilities...
2024-10-16T01:01:51Z	INFO	Detected config files	num=17

For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://aquasecurity.github.io/trivy/v0.56/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


scripts/perf/package-lock.json (npm)
====================================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬──────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                          Title                           │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ jsonwebtoken │ CVE-2022-23539 │ HIGH     │ fixed  │ 8.5.19.0.0               │ jsonwebtoken: Unrestricted key type could lead to legacy │
│              │                │          │        │                   │                     │ keys usagen                                              │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-23539               │
├──────────────┼────────────────┤          │        ├───────────────────┼─────────────────────┼──────────────────────────────────────────────────────────┤
│ semver       │ CVE-2022-25883 │          │        │ 5.7.17.5.2, 6.3.1, 5.7.2 │ nodejs-semver: Regular expression denial of service      │
│              │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25883               │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴──────────────────────────────────────────────────────────┘

importmachine.tf (terraform)
============================
Tests: 4 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:20
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  20 [     ipv6_cidr_blocks = ["::/0"]
  ..   
  32   }
────────────────────────────────────────


HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 importmachine.tf:19
   via importmachine.tf:14-21 (ingress)
    via importmachine.tf:1-32 (aws_security_group.importmachine)
────────────────────────────────────────
   1   resource "aws_security_group" "importmachine" {
   .   
  19 [     cidr_blocks      = ["0.0.0.0/0"]
  ..   
  32   }
────────────────────────────────────────



ingestion-load-balancer.tf (terraform)
======================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ingestion-load-balancer.tf:59
   via ingestion-load-balancer.tf:52-97 (aws_elb.ingestion_lb)
────────────────────────────────────────
  52   resource "aws_elb" "ingestion_lb" {
  ..   
  59 [   internal        = false
  ..   
  97   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 ingestion-load-balancer.tf:104-107
────────────────────────────────────────
 104resource "aws_s3_bucket" "ingestion_loadbalancer_logs" {
 105 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-ingestion-lblogs"
 106 │   force_destroy = true
 107 └ }
────────────────────────────────────────



prtg-load-balancer.tf (terraform)
=================================
Tests: 7 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 0)
Failures: 7 (HIGH: 6, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.


See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 prtg-load-balancer.tf:82
   via prtg-load-balancer.tf:73-90 (aws_lb_listener.prtg_lb_listener)
────────────────────────────────────────
  73   resource "aws_lb_listener" "prtg_lb_listener" {
  ..   
  82 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  90   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 prtg-load-balancer.tf:12-37
────────────────────────────────────────
  12resource "aws_lb" "prtg_lb" {
  1314 │   depends_on = [
  15 │     aws_security_group.prtg_lb,
  16 │   ]
  1718 │   name                       = "prtg-lb-${var.networking[0].application}"
  19 │   internal                   = false
  20 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 prtg-load-balancer.tf:19
   via prtg-load-balancer.tf:12-37 (aws_lb.prtg_lb)
────────────────────────────────────────
  12   resource "aws_lb" "prtg_lb" {
  ..   
  19 [   internal                   = false
  ..   
  37   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 prtg-load-balancer.tf:212-216
────────────────────────────────────────
 212 ┌ resource "aws_s3_bucket" "prtg_logs" {
 213 │   count         = local.is-production ? 0 : 1
 214 │   bucket        = "aws-waf-logs-prtg-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 215 │   force_destroy = true
 216 └ }
────────────────────────────────────────



waf-load-balancer.tf (terraform)
================================
Tests: 11 (SUCCESSES: 0, FAILURES: 11, EXCEPTIONS: 0)
Failures: 11 (HIGH: 10, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.


See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 waf-load-balancer.tf:96
   via waf-load-balancer.tf:87-104 (aws_lb_listener.waf_lb_listener)
────────────────────────────────────────
  87   resource "aws_lb_listener" "waf_lb_listener" {
  ..   
  96 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
 ...   
 104   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 waf-load-balancer.tf:27-52
────────────────────────────────────────
  27 ┌ resource "aws_lb" "waf_lb" {
  2829 │   depends_on = [
  30 │     aws_security_group.waf_lb,
  31 │   ]
  3233 │   name                       = "waf-lb-${var.networking[0].application}"
  34 │   internal                   = false
  35 └   load_balancer_type         = "application"
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 waf-load-balancer.tf:34
   via waf-load-balancer.tf:27-52 (aws_lb.waf_lb)
────────────────────────────────────────
  27   resource "aws_lb" "waf_lb" {
  ..   
  34 [   internal                   = false
  ..   
  52   }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:298-301
────────────────────────────────────────
 298 ┌ resource "aws_s3_bucket" "loadbalancer_logs" {
 299 │   bucket        = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}-lblogs"
 300 │   force_destroy = true
 301 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 waf-load-balancer.tf:393-397
────────────────────────────────────────
 393 ┌ resource "aws_s3_bucket" "waf_logs" {
 394 │   count         = local.is-production ? 0 : 1
 395 │   bucket        = "aws-waf-logs-${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}"
 396 │   force_destroy = true
 397 └ }
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 23, 2024

Superseded by #8398.

@dependabot dependabot bot closed this Oct 23, 2024
@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/xhibit-portal/bastion_linux--github--ministryofjustice/modernisation-platform-terraform-bastion-linux--v4.2.1-4.4.0 branch October 23, 2024 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants